Researchers from SentinelLabs have spotted the first Linux variant of Cl0p (aka “Clop”) ransomware, targeting Linux systems on December 26, 2022.
According to SentinelLabs, Clop ransomware is similar to the Windows variant, in that it uses the same encryption method and similar process logic. The ELF executable also contains a “flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.”
Executable and Link Format (ELF) is an executable file format for executable files, object code, shared libraries, and core dumps used on Linux and Unix platforms.
The security firm said there likely was a “bigger attack” a couple days earlier on December 24 against the University in Colombia. On January 5, 2023, the cybercriminals released victim’s data on their onion page.
“Over the last twelve months or so we have continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of Hive, Qilin, Snake, Smaug, Qyick and numerous others,” SentinelLabs wrote in a blog post.
Moreover, researchers discovered the following ELF sample target folders and files used for encryption:
| Folder | Description |
| /opt | Contains subdirectories for optional software packages |
| /u01 | Oracle Directory, mount point used for the Oracle software only. |
| /u02 | Oracle Directory, used for the database files. |
| /u03 | Oracle Directory, used for the database files. |
| /u04 | Oracle Directory, used for the database files. |
| /home | Contains the home directory of each user. |
| /root | Contains the home directory of the root user. |
Additionally, SentinelLabs further described an encryption flaw in the new Linux variant that did not exist in the Windows variant.
“This core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware-encryption logic which makes it possible to retrieve the original files without paying for a decryptor,” SentinelLabs added.
Readers can read more details in the post to include interesting research on a Cl0p File-Key creation flaw, developed functions and names, and more.
Also check out related articles to include other recent ransomware attacks at links below.
Related Articles
- Attackers exploit VMware ESXi RCE vulnerability to deliver ESXiArgs ransomware
- Microsoft: RaaS attacks continue to evolve and expand
- Vice Society ransomware gang targets manufacturing firms
- Snake ransomware infects energy company giant
- Snake ransomware campaign targets healthcare companies
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated