Security Experts:

Connect with us

Hi, what are you looking for?



Linux Variant of Cl0p Ransomware Emerges

A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor.

A Cl0p ransomware variant targeting Linux systems emerged recently, but a flaw in the encryption algorithm has already allowed for the creation of a free decryptor for it.

Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecoms, and transportation and logistics.

In November 2021, authorities announced the arrest of six individuals linked to the Cl0p operation, but the ransomware continues to be used in attacks. In August 2022, Cl0p claimed responsibility for hacking a UK water company.

Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.

The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.

Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.

After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.

Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.

SentinelOne’s analysis of the threat has revealed a flaw in the encryption algorithm, where a hardcoded RC4 ‘master-key’ is used during the encryption process, which allowed them to decrypt Cl0p-encrypted files.

To help victims of the Cl0p-ELF variant restore their data, SentinelOne has created a Python script that is available on GitHub.

“While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” SentinelOne concludes.

Related: Cyber Insights 2023 | Ransomware

Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability

Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Dole was forced to shut down systems in North America due to a ransomware attack, which has reportedly led to salad shortages in some...


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.