September 9, 2019 By David Bisson 2 min read

A new family of ransomware called Lilocked (or Lilu) infected thousands of web servers and encrypted their files.

According to ZDNet, users first began uploading ransom notes for Lilocked ransomware to ID Ransomware in mid-July 2019. Researchers found evidence of these attacks having intensified near the end of August. They also found that the ransomware mainly targeted a small subset of file extensions, including HTML, SHTML, JS, CSS, PHP and INI, hosted on Linux web servers. The means by which attackers gained access to these servers and encrypted their files remained unknown at the time of writing.

After Lilocked finished its encryption routine, each affected file sported .lilocked as its file extension. The ransomware also deposited a ransom note into each folder where it encrypted files. That message redirected victims to a payment portal on the darknet where a second ransom message demanded that victims pay 0.03 bitcoin (worth approximately $310).

The Latest Threat to Target Linux Servers

Lilocked isn’t the first threat family to target Linux servers. In February 2019, Bleeping Computer observed B0r0nt0K demanding as much as 20 bitcoins (then worth approximately $75,000) from Linux servers whose contents it had encrypted. A few months later, Intezer Labs discovered a new malware family called HiddenWasp targeting Linux severs for the purpose of achieving targeted remote control. More recently, in July 2019, Intezer Labs observed QNAPCrypt going after Linux-based file storage systems (NAS servers).

How to Defend Against Lilocked Ransomware

Security professionals can help defend their organizations against Lilocked ransomware by having a data backup strategy that enables backup accounts to access production systems, yet blocks production accounts from writing to any type of backup. Companies should link this backup strategy to a sophisticated data-centric solution that blends encryption, access controls and other security measures, thereby narrowing the attack surface for threats like ransomware.

More from

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today