{
	"id": "d271fa76-ae30-4894-830e-bffebb0aa2ea",
	"created_at": "2026-04-06T00:21:07.450759Z",
	"updated_at": "2026-04-10T13:12:10.036Z",
	"deleted_at": null,
	"sha1_hash": "e2950f18e6aaae3b28c22393f9899193d2761b34",
	"title": "Lilocked Ransomware Actively Targeting Servers and Web Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1747091,
	"plain_text": "Lilocked Ransomware Actively Targeting Servers and Web Sites\r\nBy Lawrence Abrams\r\nPublished: 2019-09-06 · Archived: 2026-04-05 20:04:01 UTC\r\nA relatively new ransomware  named Lilocked by researchers and Lilu by the developers is actively targeting servers and\r\nencrypting the data located on them. All of the known infected servers are web sites, which is causing the encrypted files to\r\nshow up in Google search results.\r\nWe first reported about Lilu in our The Week in Ransomware article on July 26th, 2019 when Michael Gillespie saw a\r\nsample uploaded to his ID Ransomware service. It was spotted again yesterday by security researcher Benkow who tweeted\r\nabout it. \r\nGoogle reports over 6,000 search results with web servers that have been encrypted by this ransomware and having their\r\nfiles renamed with a .lilocked extension. It should be noted that many of these results are for the same web sites.\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nGoogle search results showing infected servers\r\nFurthermore, submissions stats from ID Ransomware show that this infection has a low volume, but steady, amount of\r\nsubmissions ot the ransomware identification service.\r\nID Ransomware submission stats\r\nIt is not known if Lilu is specifically targeting web servers, but most of the submitted files seen by BleepingComputer are\r\nrelated to web sites. When reviewing the submitted files, there does not seem to be a pattern such as WordPress, Magento, or\r\nother commonly hacked CMS sites.\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 3 of 8\n\nAttackers possibly using exploits to gain access\r\nIn response to Gillespie's tweet, one user reported that the attacker gained access to their web server using an Exim exploit.\r\nGillespie further told BleepingComputer that another victim felt that they were infected through an outdated WordPress\r\ninstallation.\r\nBleepingComputer has not been able to independently confirm if the attacker is using exploits to hack into the sites.\r\nWhat's known about the Lilocked encryption process\r\nUnfortunately, a sample has never been found for the Lilocked, or Lilu, Ransomware, so not much is known about it other\r\nthan what we can see in the wild.\r\nWhen a machine is infected, the ransomware will encrypt a file and then append the .lilocked extension to the file name. For\r\nexample, apple-icon.png would be encrypted and renamed to apple-icon.png.lilocked.\r\nFor each folder that is encrypted, Lilocked will also drop a ransom note named #README.lilocked.\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 4 of 8\n\nEncrypted server in search results\r\nThe #README.lilocked ransom note tells the victim that their data has been encrypted and that they must go to the\r\nattacker's Tor payment site in order to pay a ransom. This ransom note includes a key that is needed to login to the payment\r\nsite.\r\nLilu ransom note\r\nIf a victim goes to the site, they will be presented with a page asking them to enter their key.\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 5 of 8\n\nLilu Tor payment site login\r\nOnce the key is entered, they will be shown a page with instructions on how to pay the ransom. These instructions include a\r\nbitcoin address and ransom amount, which is 0.010 BTC or approximately $100 USD from the ransom demands seen by\r\nBleepingComputer.\r\nLilu payment instructions\r\nAt this time, there is no known way to decrypt files encrypted by Lilu, but if a sample is discovered that may change.\r\nBleepingComputer has also reached out to the contact email listed on the Tor site with questions, but had not heard back at\r\nthe time of this publication.\r\nIOCs:\r\nAssociated Files:\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 6 of 8\n\n#README.lilocked\r\nAssociated email:\r\nxijintao@tutanota.com\r\nTor Payment Site:\r\ny7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion\r\nRansom Note Text:\r\nI'VE ENCRYPTED ALL YOUR SENSITIVE DATA!!! IT'S A STRONG ENCRYPTION, SO DON'T BE NAIVE TO RESTORE IT;)\r\nYOU CAN BUY A DECRYPTION KEY FOR A SMALL AMOUNT OF BITCOINS!\r\nYOU HAVE 7 DAYS TO DECRYPT YOUR FILES OR YOUR DATA WILL BE PERMANENTLY LOST!!!\r\nPLEASE VISIT MY SITE WITH TOR BROWSER https://www.torproject.org/download/\r\ny7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion\r\nCOPY THE FOLLOWING KEY THERE AND FOLLOW THE INSTRUCTIONS! (L2)\r\nYOUR KEY IS\r\n[key]\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nhttps://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/"
	],
	"report_names": [
		"lilocked-ransomware-actively-targeting-servers-and-web-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775434867,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2950f18e6aaae3b28c22393f9899193d2761b34.pdf",
		"text": "https://archive.orkl.eu/e2950f18e6aaae3b28c22393f9899193d2761b34.txt",
		"img": "https://archive.orkl.eu/e2950f18e6aaae3b28c22393f9899193d2761b34.jpg"
	}
}