Clop: New Linux ransomware variant threat

Researchers from SentinelLabs have spotted the first Linux variant of Cl0p (aka “Clop”) ransomware, targeting Linux systems on December 26, 2022.

According to SentinelLabs, Clop ransomware is similar to the Windows variant, in that it uses the same encryption method and similar process logic. The ELF executable also contains a “flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.”

Executable and Link Format (ELF) is an executable file format for executable files, object code, shared libraries, and core dumps used on Linux and Unix platforms.

The security firm said there likely was a “bigger attack” a couple days earlier on December 24 against the University in Colombia. On January 5, 2023, the cybercriminals released victim’s data on their onion page.

“Over the last twelve months or so we have continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of HiveQilinSnakeSmaugQyick and numerous others,” SentinelLabs wrote in a blog post.

Moreover, researchers discovered the following ELF sample target folders and files used for encryption:

/optContains subdirectories for optional software packages
/u01Oracle Directory, mount point used for the Oracle software only.
/u02Oracle Directory, used for the database files.
/u03Oracle Directory, used for the database files.
/u04Oracle Directory, used for the database files.
/homeContains the home directory of each user.
/rootContains the home directory of the root user.

Additionally, SentinelLabs further described an encryption flaw in the new Linux variant that did not exist in the Windows variant.

“This core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware-encryption logic which makes it possible to retrieve the original files without paying for a decryptor,” SentinelLabs added.

Readers can read more details in the post to include interesting research on a Cl0p File-Key creation flaw, developed functions and names, and more.

Also check out related articles to include other recent ransomware attacks at links below.

Related Articles