A new form of ransomware called Lilocked (or Lilu) has been targeting Linux servers and encrypting website files, asking for a Bitcoin ransom to get these files back.
Media reports suggest that thousands of Linux servers across the world have become infected with Lilocked ransomware since July.
One of the big concerns is that it is currently unknown how the Lilocked ransomware is able to infect Linux servers.
One theory is that the people behind the ransomware may target systems running outdated Exim (email) software, according to a report by ZDNet.
South African websites affected
It is possible to find servers and websites affected by this ransomware as the encrypted files have a “.lilocked” file extension.
A Google search revealed that a handful of South African websites using .co.za domains have fallen victim to this malware.
Some of the South African websites affected by the Lilocked ransomware include africanfootprints.co.za, thinstone.co.za, msits.co.za and pinpointsecurity.co.za.
Ransom in Bitcoin demanded
All websites affected by the Lilocked ransomware have a file called “#README.lilocked” with the following message:
We apologize but you need to pay the ransom – all your files has been Lilocked. It is strong encryption and you loss your data unless you pay us.
The message also provides victims with the address to a portal on the dark web where they have to paste their unique key from the ransom note.
Victims are then instructed to pay 0.03 Bitcoin to unlock their encrypted files.
What the infection looks like
The screenshots below shows what a website infected by Lilocked looks like.