Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecoms, and transportation and logistics.
According to CISA, the recent large-scale ESXiArgs ransomware campaign encrypted 2,800 servers.
In the campaign, the attackers failed to encrypt flat files containing virtual disk data; this allowed YoreGroup Tech researchers to create a decryptor to rebuild virtual machines from these flat files and assist numerous victims in decrypting their systems.
Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.
A Decryptor for Cl0p ELF Variants
Cl0p ransomware (a.k.a. CLOP) is part of the Cryptomix ransomware family and has been active since 2019. It has targeted cybersecurity compliance firm Qualys and several health services and organizations over the years.
The first Linux version of the Cl0p Ransomware, has been detected, with a flaw in its encryption algorithm that makes it possible to reverse engineer the process.
To help victims of the Cl0p-ELF variant restore their data, SentinelOne has created a Python script that is available on GitHub.