Yet another Linux attack has surfaced recently that has impacted thousands of servers. It’s a ransomware called Lilocked (aka Lilock or Lilu) and likely takes advantage of a known Exim vulnerability or possibly old versions of WordPress to gain system entry. Once inside, Lilu encrypts the data on the server and renames the files with a *.lilocked extension.
For each folder that is encrypted, Lilocked also drops a ransom note that provides instructions on how to pay bitcoin (approximately $100) to remove the encryption. A sample has yet to be found, so there is no known way to remove the encryption without paying the ransom.
Lilocked is yet another cyber attack in a growing list of those targeted to Linux. Other notable Linux attacks in 2019 include:
Both the volume and severity of attacks on Linux seems to be on the rise in 2019 and doesn’t appear to be stopping anytime soon.
There is good reason as to why Linux is now a popular focus for cyber attacks. In fact, there are four good reasons:
The Linux footprint is growing fast — as is awareness of the specific attack vectors and security failure scenarios unique to Linux cloud environments. Unfortunately, many of the security products that were originally developed for Windows-centric, corporate models simply don’t scale in the cloud era.
Antivirus solutions are so highly tuned for Windows viruses that they are largely irrelevant in Linux. Furthermore they are way too heavy weight for the high performance needs of most server environments.
EDR (Endpoint Detection & Response) requires highly skilled “detectives” to wade through an overwhelming amount of data in order to find threats. They struggle with the active breach scenarios and lateral movement patterns that are highly prevalent in Linux. And of course, EDR is completely reactive — by the time the incident is detected it may be too late.
Privileged Access Management works well in highly centralized, Active Directory-based environments. However, in Linux they provide little protection from the biggest threat — a root-access user who does something they shouldn’t, accidentally or maliciously. Again, by the time the action is taken, it’s too late.
These legacy solutions simply were not built for high-velocity, rapid-iteration cloud environments. They are overly restrictive, they bring DevOps to a halt, and they stifle an organization’s ability to innovate and compete.
Cmd delivers cloud-scale security that enforces security policy without slowing down DevOps. Intelligent guardrails that can block dangerous commands, even for root users, let security professionals rest easy that policies are followed and compliance requirements are met. Deep visibility into Linux environments helps your SOC and incident responders navigate complex cloud environments to find threats hidden in plain sight. Operational controls let you work with the DevOps tools you already have in place, to keep security lightweight and strong. Oh — and Cmd works across all flavors of Linux commonly used in the enterprise, without needing to be re-deployed every time Linux is patched or upgraded.
Want to know more? Sign up for a free trial of Cmd Linux Server security solution. With the continued increase of Linux attacks, this should be a priority for security and DevOps teams to deploy or the next Lilocked may cause serious consequences.