Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Linux Variant of Cl0p Ransomware Emerges

A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor.

A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor for it.

Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecoms, and transportation and logistics.

In November 2021, authorities announced the arrest of six individuals linked to the Cl0p operation, but the ransomware continues to be used in attacks. In August 2022, Cl0p claimed responsibility for hacking a UK water company.

Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.

The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.

Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.

After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.

Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.

Advertisement. Scroll to continue reading.

SentinelOne’s analysis of the threat has revealed a flaw in the encryption algorithm, where a hardcoded RC4 ‘master-key’ is used during the encryption process, which allowed them to decrypt Cl0p-encrypted files.

To help victims of the Cl0p-ELF variant restore their data, SentinelOne has created a Python script that is available on GitHub.

“While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” SentinelOne concludes.

Related: Cyber Insights 2023 | Ransomware

Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability

Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.