Delaware, USA – September 9, 2019 – Lilocked ransomware appeared on the radars of researchers a month and a half ago, in early August the number of attacks began to grow, and since then more than 6,000 servers have been infected. It is not known for certain how the infection process occurs, but adversaries get admin access to the server and encrypt files that are not related to its normal operation. The ransomware adds .lilocked extension to the encrypted files and drops to each folder a file with a ransom demand in bitcoins and instructions. Attackers demand a relatively small ransom payment – only 0.01 – 0.03 bitcoin, but it is not yet known whether they are playing fair. Their victims are given 7 days to contact cybercriminals through a website on the Tor network and receive a decryptor.
Security researcher Benkow discovered 6,700+ encrypted servers, some of which were indexed by Google. Among the victims of Lilocked, there are CLoudLinux, CentOS, and Debian servers. The actual number of victims can be significantly greater since cybercriminals are able to attack not only the servers hosting the websites. In addition, it is not known what actions the attackers took before encryption: whether any backdoors installed or stole sensitive information. Despite the fact that this campaign is far from the scope of Ryuk or Sodinokibi operations, it can cause significant financial losses. You can spot breach attempts and monitor the security of your web applications with your SIEM and Threat Detection Marketplace content: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight