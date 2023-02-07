The first Linux variant of the Clop Ransomware was discoverybut with a flawed encryption algorithm that made it possible to detect and stop it without problems (reverse engineering).

Clop Ransomware: what the insiders tell us

“The ELF executable contains an imperfect encryption algorithm which makes it possible to decrypt locked files without paying the ransom“, has declared SentinelOne researcher Antonis Terefos in a report.

The computer security company, which has made available a decryptor on Github, said that he observed the ELF version on Dec 26, 2022, also noting its similarities with Windows system as this ransomware apparently uses the same encryption method; long story short it was easy to understand how the Clop Ransomware is programmatically done since between Linux and Windows it was not that divergent.

At the same time though, the two versions had substantial differences, but difficult to explain in a few words if you are not experts, but essentially files encrypted due to this little similarity with the Windows version are easy to decrypt.

Below is a video explaining how to decrypt files encrypted by Clop Ransomware on Windows.

The sample taken is thought to be part of a larger attack on Colombian educational institutions, including La Salle University, around the same time. The university has been added to the list of attacks since FalconFeedsio in January 2023, by sharing a Twitter post with a screenshot taken from the Deep Web.

Known to have been active since 2019, Operation Clop (stylized as Cl0p) ransomware took a major hit in June 2021 when six individuals affiliated with the gang were arrested following an international law enforcement operation dubbed Operation Cyclone (Operation Cyclone).

But the cybercriminal group in question staged an “explosive and unexpected” comeback in early 2022, claiming dozens of lives in industrial and technology sectors.

SentinelOne characterized the Linux version as an early stage release due to the fact that it lacks some features present in its Windows counterpart.

This lack of feature parity is also explained by the fact that the malware authors chose to create a custom Linux payload rather than simply porting it to the Windows version, suggesting that future Clop variants could fill these gaps.

“One reason could be that the threat actor didn’t need to spend time and resources improving obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal“Terefos explained.

The Linux version is designed to locate specific folders and file types for encryption, with the Clop Ransomware containing a hardcoded master key that can be used to recover the original files without making a payment to threat actors.

If anything, the development points to a growing trend of these bad actors increasingly venturing beyond Windows to target other platforms.

“While the Cl0p variation of Linux is, right now, in its infancy [fase iniziale]its development, and the nearly ubiquitous use of Linux in servers and cloud workloads suggest defenders should expect to see more ransomware campaigns targeting Linux in the future“ concluded Tefos.

Because more and more malware and ransomware (like the Clop Ransomware) are attacking Linux systems

Many people believe (wrongly) that “just install Linux and you’re immune to viruses”: wrong!

The fact that there are fewer of them does not mean that Linux distros are exempt from them.

To this should be added a small consideration: if there is no “official” detection method like Malwarebytes or Windows Defender on Windows or Google Play Protect on Google Play Store, how do you know the exact number of malware, ransomware (like clop ransomware) and other threats on systems Linux?

The answer is easy: can not be done!

Unfortunately operating systems based on Linux Kernel they are extremely mythologized by users; with their diffusion (especially used as servers), as a result, the cyber threats that affect them also increase.