• Lilocked ransomware is targeting Linux servers and encrypting data stored on them since mid-July. In the last two weeks, the attacks have been observed to be more frequent.
  • The affected users are redirected to the dark web and asked to make a payment to decrypt their files.


The Lilocked (or Lilu) ransomware was first reported by the malware researcher Micheal Gillespie. He observed the first case of Lilocked when a user uploaded a ransomware note to his ID Ransomware website. This website can be used to identify the ransomware based on the details in the note.

Once infected, the victim’s data is encrypted with .lilocked file extension. A note named #README.lilocked is displayed along with the encrypted files. It redirects the users to a website on the dark web and provides a key to log in to the site. Users are then asked to make a payment in bitcoins to get their files decrypted.

Thousands of servers have been infected with this ransomware since July.

Impact of a Lilocked attack

It has been observed that Lilocked doesn’t affect system files, but files with extensions such as HTML, CSS, PHP, JS, INI, and other image formats.

  • It targets Linux servers and gains root access. Because system files remain unaffected, the servers run normally.
  • This cyberattack causes encrypted files to be listed in the Google search results.
  • There is speculation that Lilocked is targeting servers that run on an outdated Exim server version. This thesis is also supported by a Russian forum.

Researchers are yet to figure out the mechanism behind this ransomware’s operation. They are on the lookout for a sample to discover ways of decrypting the affected files.

Final thoughts

Because the operating mechanism of Lilocked is not clear, there are no specific security recommendations. However, you can adopt preventive measures such as:

  • Using strong and unique passwords
  • Being aware of security flaws in the apps you use
  • Updating all apps to their latest versions with the required security patches
  • Avoid opening email attachments from unknown senders
Cyware Publisher