The Lilocked (or Lilu) ransomware was first reported by the malware researcher Micheal Gillespie. He observed the first case of Lilocked when a user uploaded a ransomware note to his ID Ransomware website. This website can be used to identify the ransomware based on the details in the note.
Once infected, the victim’s data is encrypted with .lilocked file extension. A note named #README.lilocked is displayed along with the encrypted files. It redirects the users to a website on the dark web and provides a key to log in to the site. Users are then asked to make a payment in bitcoins to get their files decrypted.
Thousands of servers have been infected with this ransomware since July.
Impact of a Lilocked attack
It has been observed that Lilocked doesn’t affect system files, but files with extensions such as HTML, CSS, PHP, JS, INI, and other image formats.
Researchers are yet to figure out the mechanism behind this ransomware’s operation. They are on the lookout for a sample to discover ways of decrypting the affected files.
Because the operating mechanism of Lilocked is not clear, there are no specific security recommendations. However, you can adopt preventive measures such as: