SUSE Support

Here When You Need Us

How does lilu/lilocked ransomware affecting SUSE products

This document (7024110) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)
SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)
SUSE Manager 3.2
SUSE Manager 4.0

Situation

Lilu, a new Ransomware which targets Linux servers, has been spotted since mid-July in the wild. Lilu, does not encrypt any system files but only a small subset of web-related files and then requires a ransom to decrypt them. Even though, it is currently not known which vulnerability Lilu exploits in order to gain root access, security researchers suspect Exim's CVE-2019-13917 and CVE-2019-15846 which allow an attacker to connect remotely and execute code with root privileges. Other researchers believe that Lilu exploits known vulnerabilities of outdated versions of WordPress.


Resolution

Since the exact exploitation method of Lilu is not yet known it is highly recommended to keep your system updated. Especially customers who decided to install Exim or WordPress from another source, they are required to update Exim to the latest fully patched version, keep WordPress updated all the time and install to it updated, trusted and well maintained plugins.

Cause

Who is affected

It is unclear who is affected but currently we are not aware of any affected SUSE Enterprise product. None SUSE Enterprise products ship Exim or WordPress. For example Exim is only being shipped in openSUSE LEAP 15.0 and 15.1 where an update which solves the suspected vulnerabilities is already available.

Additional Information

External sources

https://www.cybersecurity-insiders.com/lilocked-ransomware-hits-linux-servers
https://cyware.com/news/linux-servers-under-attack-by-lilocked-ransomware-e9c4f966
https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7024110
  • Creation Date: 12-Sep-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server
    • SUSE Manager

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.