Infections have been happening since mid-July, and have intensified in the past two weeks.
Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown.
A thread on a Russian-speaking forum puts forward the theory that the hackers are targeting systems running outdated Exim (email) software. It mentions that the ransomware managed to get root access to servers by unknown means.
Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally.
According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results.
However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and many other infected systems haven't been indexed in Google search results.