The first Linux variant of Clop ransomware was actually detected, but it contained flaws in its encryption algorithm, allowing the process to be reverse engineered.
In a report shared with The Hacker News, SentinelOne researcher Antonis Terefos said, “The ELF executable contains a flawed encryption algorithm that allows locked files to be accessed without paying a ransom. can be decrypted.
A cybersecurity firm that made decryption tools available said it observed an ELF version on December 26, 2022, and also noted similarities to Windows flavors when using the same encryption methods. .
The detected samples are said to be part of a larger attack targeting Colombian educational institutions, including LaSalle University, around the same time. The university was added to the criminal group’s leak sites in early January 2023. falcon feedsio.
Known to have been active since 2019, the Clop (stylized as Cl0p) ransomware operation hit hard in June 2021. This is when six of his individuals associated with the gang were arrested after an international law enforcement operation codenamed Operation Cyclone.
However, the cybercrime group claims to have made an “explosive and unexpected” comeback in early 2022, claiming dozens of victims across industries and technology sectors.
SentinelOne characterized the Linux version as an early stage version due to the fact that it lacks some features present in its Windows counterpart.
This lack of functional parity is also explained by the fact that the malware author chose to build a custom Linux payload rather than simply porting the Windows version. This suggests that future variants of Clop may fill these gaps.
“The reason for this is that it is currently undetected by all 64 security engines on VirusTotal, so the attackers probably didn’t have to spend time and resources to improve obfuscation and evasion,” Terefos said. explains.
The Linux version is designed to select specific folders and file types for encryption, and the ransomware contains hard-coded master keys that can be used to encrypt original files without paying the threat actor. can be used to restore files in
If anything, this development shows that threat actors are increasingly moving beyond Windows to target other platforms.
“Although the Linux-flavoured variant of Cl0p is currently in its early stages, defenders have targeted Linux due to its development and the near ubiquitous use of Linux in server and cloud workloads. It suggests we should expect more ransomware campaigns in the future,” said Telephos.
