Clop ransomware for Linux: Flaw allows file recovery

Clop ransomware for Linux: Flaw allows file recovery

The Clop ransomware operation now also uses a variant of the malware that only targets Linux servers, but a flaw in the encryption system allows victims to recover their files without paying a ransom.

Today, cybersecurity company SentinelOne announced the discovery of a Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.

Clop Ransomware

The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in early development stages, as it lacks some of the functionality seen in Windows samples.

Observed differences include API calls and other OS-related changes, but the encryption method is the same, SentinelOne says.

After execution, the ransomware attempts to access root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.

The Linux variant also does not support the hashing algorithm used by the Windows version to block some file types and folders from encryption. Also, there is no mechanism to treat files of different sizes differently in Linux.

The Linux version of Clop lacks several features that could prove very useful, such as drive enumeration that could help locate the starting point for recursive file encryption and command-line parameters that offer increased control over encryption.

Despite its weaknesses, the use of the Linux variant in real Clop attacks proves that, for threat actors, having a Linux version, even an easily hacked one, is still preferable to not being able to attack Linux systems inside target organizations .

Indicators of Compromise

IOC TypeIOC Value
SHA1 ELF Cl0p46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5
SHA1 Win Cl0p40b7b386c2c6944a6571c6dcfb23aaae026e8e82
SHA1 Win Cl0p4fa2b95b7cde72ff81554cfbddc31bbf77530d4d
SHA1 Win Cl0pa1a628cca993f9455d22ca2c248ddca7e743683e
SHA1 Win Cl0pa6e940b1bd92864b742fbd5ed9b2ef763d788ea7
SHA1 Win Cl0pac71b646b0237b487c08478736b58f208a98eebf
SHA1 ELF Cl0p Noteba5c5b5cbd6abdf64131722240703fb585ee8b56
SHA1 Win Cl0p Note77ea0fd635a37194efc1f3e0f5012a4704992b0e
Win Ransom Note!_READ_ME.RTF
Cl0p Ransom Extension.C_I_0P

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!