Researchers have discovered a new Linux variant of Cl0p (aka Clop), which was used in late December 2022 in an attack against a university in Colombia.
Cl0p has been one of the most active ransomware families over the past several years, targeting numerous private and public organizations globally. In November 2021, authorities announced the arrest of six individuals linked to the Cl0p operation, but the ransomware continues to be used in attacks. In August 2022, Cl0p claimed responsibility for hacking a UK water company.
The ELF variant of Cl0p has been developed in a similar logic to the Windows version and appears to be in the early development stages, as it lacks some of the functionality seen in Windows samples. The differences that are observed include API calls and other OS-related changes, but the encryption method is the same.
Once its executed, the ransomware attempts to access the root, after which it begins encrypting other directories. Unlike the Windows variant, it targets specific folders and subfolders, encrypting all files in them.
Cl0p for Linux targets subdirectories for optional software packages, multiple Oracle directories, the home directory for each user, and the home directory for the root user. A ransom note is then dropped on the victim’s machine, instructing them to contact the attackers via email.
Though it is in the earlier stage, researchers revealed a flaw in the encryption algorithm, where a hardcoded RC4 ‘master-key’ is used during the encryption process, which allowed them to decrypt Cl0p-encrypted files.
Researchers have created a Python script that is available on GitHub in a wake of helping the victims of the Cl0p-ELF variant restore their data.
This research was documented by researchers from SentinelOne
Indicators of Compromise