several sources have cited security researchers stating that it's likely due to the Exim CVE exploits. One very detailed article is published here on ITW attempts in using the CVE exploit are being seen to deploy malware: https://securityaffairs.co/wor... I also did some independent research and searched around on Shodan for about 10-15 of of the hosts showing up with lilocked file extensions on their webservers now and they are all 1) Hosted in Russia 2) have out of date EXIM software vulnerable to the recent CVE's posted....

if you have root access to the server then i'm sure that you can run ps, watch, strace, iostat, etc to monitor where it's coming from. Now, with that being said, if you have root access, I hope that you are patching your systems and you likely wouldn't have this problem anyway. Sadly all the samples I've found via hunting on VT and referenced in any public sources look like the Decrypter tool and not the malicious binary as well.