Lilocked Lilu Ransomware

[floyd]

I was checking a server today and found a bunch of files with the extension .lilocked. I found out its a result of ransomware called Lilu and it seems to attack older versions of exim. Fortunately for me this was basically an abandoned server so no real damage was done. But it was a wake up call for me.

So my question: is all that is needed is to update exim? Or do we know more than what I have found so far?

 

[factor]

If you want to make sure you are on the latest dovecot, dovecot conf, exim and exim conf run.

cd /usr/local/directadmin/custombuild
./build set eximconf yes
./build set eximconf_release 4.5
./build set dovecot_conf yes
./build clean 
./build update
./build exim 
./build dovecot
./build roundcube
./build exim_conf   
./build dovecot_conf

If you want spam stuff add after the dovecot_conf part above

./build set sa_update daily
./build set easy_spam_fighter yes
./build set blockcracking yes
./build set spamd rspamd
./build blockcracking
./build easy_spam_fighter

I would also make sure the os is all updated as well.

 

[factor]

Looks like the exim version needs to be higher than 4.92.
check with

./build versions

Looks like it been out since last year. Also appears to only encrypt certain files like web files and images.

 

[floyd]

I noticed it because files in /var/named were encrypted.

I have been using DirectAdmin since 2005 so I know how to update. I wanted to know if anybody knew any more about it than what I have been able to find so far namely updating exim. Is exim really the problem? Yes I know "Keep everything updated" as a general rule but I'm asking about this specific issue.

 

[factor]

Oh sorry. I hadn’t realized you had been around so long.