Clop ransomware for Linux: Flaw allows file recovery

The Clop ransomware operation now also uses a variant of the malware that only targets Linux servers, but a flaw in the encryption system allows victims to recover their files without paying a ransom.

Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.

Clop Ransomware

The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.

Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.

After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.

The Linux variant also does not support the hashing algorithm used by the Windows version to block some file types and folders from encryption. Also, there is no mechanism to treat files of different sizes differently in Linux.

The Linux version of Clop lacks several features that could prove very useful, such as drive enumeration that could help locate the starting point for recursive file encryption and command-line parameters that offer increased control over encryption.

Despite its weaknesses, the use of the Linux variant in real Clop attacks proves that, for threat actors, having a Linux version, even an easily hacked one, is still preferable to not being able to attack Linux systems inside target organizations .

Indicators of Compromise

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!