Lilu (Lilocked) ransomware was first discovered by a ransomware note uploaded on ID Ransomware, a portal for identifying new ransomware based on the demand specified in the ransomware note.
Now, the new strain of ransomware has reportedly infected thousands of Linux servers around the world, with the attacks haven commenced in mid-July, but severe cases were most evidence in the last few weeks. While the actual mechanism employed in the attack remains unknown, it is quite obvious that bad actors are targeting Linux-based servers running on the defunct Exim software.
The ransomware note that accompanied the attacks come with the encrypted message: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;)” according to a Russian forum.
And once the victims click on the link within the note, they are redirected to a site on the dark web, demanding that they enter the key from the note, which when entered, requires them to deposit 0.03 bitcoin or the equivalent of $325 in an Electrum wallet in order to recover their files.
But luckily, the ransomware doesn't affect any system file, and Linux systems will continue to run as normal; as it target only files with such extensions as CSS, PHP, HTML, SHTML, JS, INI and other formats. Albeit, the actual number of infected Linux servers could not be ascertained as there are many of such servers currently not indexed on Google.
For now, there is no security advisory issued to mitigate the attack, however as per usual security recommendation, try to ensure your passwords are strong and all apps are updated to latest versions.