A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor for it.
Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecoms, and transportation and logistics.
In November 2021, authorities announced the arrest of six individuals linked to the Cl0p operation, but the ransomware continues to be used in attacks. In August 2022, Cl0p claimed responsibility for hacking a UK water company.
Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.
The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.
Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.
After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.
Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.
SentinelOne’s analysis of the threat has revealed a flaw in the encryption algorithm, where a hardcoded RC4 ‘master-key’ is used during the encryption process, which allowed them to decrypt Cl0p-encrypted files.
To help victims of the Cl0p-ELF variant restore their data, SentinelOne has created a Python script that is available on GitHub.
“While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” SentinelOne concludes.
Related: Cyber Insights 2023 | Ransomware
Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom