Linux™ operating systems are sometimes overlooked as targets for malware due to the smaller pool of victims compared to more popular operating systems. With the reduced number of targets, the attacker is incentivized to direct their efforts towards a richer hunting ground. But despite that, the lilu (or lilocked) ransomware targets solely Linux based web servers. It has infected over 6000 servers so far and looks to continue for the foreseeable future.
While the ransomware primarily targets Linux web servers, there is no evidence precluding the ransomware’s ability to infect other Linux systems. The web server’s infected status is visible to web crawlers whereas non-web server systems would not be as publicly visible. The lilu ransomware encrypts files on the victim’s system and leaves a “#README.lilocked” file in each folder in which encrypted files are located. The “#README.lilocked” file is a ransom note that directs the victim to a Tor page with a key to use on said Tor page. The key provides access to a second ransom note that directs the victim to purchase Bitcoin or Electrum to pay a ransom to decrypt the files.
The ransom has been so far inconsistent and has reportedly requested from .01BTC to .03BTC. So far the ransomware has only encrypted non-essential files and has left the servers running. It targets a few kinds of file extensions such as HTML, SHTML, JS, CSS, PHP, INI, and other image file formats.
There has not been any success in the decryption efforts. But one victim, going by Jay Gairson on Twitter, claims that the ransomware uses an Exim exploit and that the ransomware persists despite the system being taken offline and replaced. Exim is an open-source mail transfer agent for Unix-like operating systems. The exploit that is suspected is tracked in CVE-2019-15846 and has since been patched and leads researchers to believe lilu only affects older versions of Exim. There has yet to be any evidence of paying the ransom being a successful method to decrypt one’s files as well, though the attacker is not incentivized to create a reputation of services not rendered.
Sources:
• https://www.zdnet.com/article/thousands-of-servers-infected-with-newlilocked-lilu-ransomware/
• https://fossbytes.com/lilocked-ransomware-infected-linux-servers/09