A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor for it.
Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecoms, and transportation and logistics.
In November 2021, authorities announced the arrest of six individuals linked to the Cl0p operation, but the ransomware continues to be used in attacks. In August 2022, Cl0p claimed responsibility for hacking a UK water company.
Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.
The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.
Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.
After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.
Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.
SentinelOne’s analysis of the threat has revealed a flaw in the encryption algorithm, where a hardcoded RC4 ‘master-key’ is used during the encryption process, which allowed them to decrypt Cl0p-encrypted files.
To help victims of the Cl0p-ELF variant restore their data, SentinelOne has created a Python script that is available on GitHub.
“While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” SentinelOne concludes.
Related: Cyber Insights 2023 | Ransomware
Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
