The Lilocked (or Lilu) ransomware was first reported by the malware researcher Micheal Gillespie. He observed the first case of Lilocked when a user uploaded a ransomware note to his ID Ransomware website. This website can be used to identify the ransomware based on the details in the note.

Once infected, the victim’s data is encrypted with .lilocked file extension. A note named #README.lilocked is displayed along with the encrypted files. It redirects the users to a website on the dark web and provides a key to log in to the site. Users are then asked to make a payment in bitcoins to get their files decrypted.

Thousands of servers have been infected with this ransomware since July.