# Lilocked Ransomware Actively Targeting Servers and Web Sites

**[bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/](https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/)**

Lawrence Abrams

By
[Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/)

September 6, 2019
10:19 AM
0

A relatively new ransomware named Lilocked by researchers and Lilu by the developers is
actively targeting servers and encrypting the data located on them. All of the known infected
servers are web sites, which is causing the encrypted files to show up in Google search
results.

[We first reported about Lilu in our The Week in Ransomware article on July 26th, 2019](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-26th-2019-state-of-emergency/)
[when Michael Gillespie saw a sample uploaded to his ID Ransomware service. It was](https://twitter.com/demonslay335/status/1152593459225739265)
[spotted again yesterday by security researcher Benkow who tweeted about it.](https://twitter.com/benkow_/status/1169575406967635976?s=12)

Google [reports over 6,000 search results with web servers that have been encrypted by this](https://www.google.com/search?q=%22%23README.lilocked%22+%22index+of%22)
ransomware and having their files renamed with a .lilocked extension. It should be noted
that many of these results are for the same web sites.


-----

**Google search results showing infected servers**
Furthermore, submissions stats from ID Ransomware show that this infection has a low
volume, but steady, amount of submissions ot the ransomware identification service.


-----

ID Ransomware submission stats
It is not known if Lilu is specifically targeting web servers, but most of the submitted files
seen by BleepingComputer are related to web sites. When reviewing the submitted files,
there does not seem to be a pattern such as WordPress, Magento, or other commonly
hacked CMS sites.

## Attackers possibly using exploits to gain access

[In response to Gillespie's tweet, one user reported that the attacker gained access to their](https://twitter.com/maztec/status/1158250770187182080)
web server using an Exim exploit. Gillespie further told BleepingComputer that another
victim felt that they were infected through an outdated WordPress installation.


-----

BleepingComputer has not been able to independently confirm if the attacker is using
exploits to hack into the sites.

## What's known about the Lilocked encryption process

Unfortunately, a sample has never been found for the Lilocked, or Lilu, Ransomware, so not
much is known about it other than what we can see in the wild.

When a machine is infected, the ransomware will encrypt a file and then append the
**.lilocked extension to the file name. For example, apple-icon.png would be encrypted and**
renamed to apple-icon.png.lilocked.

For each folder that is encrypted, Lilocked will also drop a ransom note
named #README.lilocked.


-----

**Encrypted server in**

**search results**
The #README.lilocked ransom note tells the victim that their data has been encrypted and
that they must go to the attacker's Tor payment site in order to pay a ransom. This ransom
note includes a key that is needed to login to the payment site.


-----

**Lilu ransom note**
If a victim goes to the site, they will be presented with a page asking them to enter their key.

**Lilu Tor payment site login**


-----

Once the key is entered, they will be shown a page with instructions on how to pay the
ransom. These instructions include a bitcoin address and ransom amount, which is 0.010
BTC or approximately $100 USD from the ransom demands seen by BleepingComputer.

**Lilu payment instructions**
At this time, there is no known way to decrypt files encrypted by Lilu, but if a sample is
discovered that may change.

BleepingComputer has also reached out to the contact email listed on the Tor site with
questions, but had not heard back at the time of this publication.

## IOCs:

### Associated Files:
```
#README.lilocked

 Associated email:
xijintao@tutanota.com

 Tor Payment Site:

```

-----

```
y7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion

### Ransom Note Text:
I'VE ENCRYPTED ALL YOUR SENSITIVE DATA!!! IT'S A STRONG ENCRYPTION, SO DON'T BE
NAIVE TO RESTORE IT;)
YOU CAN BUY A DECRYPTION KEY FOR A SMALL AMOUNT OF BITCOINS!
YOU HAVE 7 DAYS TO DECRYPT YOUR FILES OR YOUR DATA WILL BE PERMANENTLY LOST!!!
PLEASE VISIT MY SITE WITH TOR BROWSER https://www.torproject.org/download/
     y7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion
COPY THE FOLLOWING KEY THERE AND FOLLOW THE INSTRUCTIONS! (L2)
YOUR KEY IS
[key]

```
[Lilocked](https://www.bleepingcomputer.com/tag/lilocked/)
[Lilu](https://www.bleepingcomputer.com/tag/lilu/)
[Ransomware](https://www.bleepingcomputer.com/tag/ransomware/)

[Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/)

Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's
area of expertise includes Windows, malware removal, and computer forensics. Lawrence
Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration
Field Guide and the technical editor for Rootkits for Dummies.

[Previous Article](https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/)
[Next Article](https://www.bleepingcomputer.com/news/security/over-37-million-lost-by-toyota-boshoku-subsidiary-in-bec-scam/)

Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/)

You need to login in order to post a comment

[Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register)

### You may also like:


-----