Clop has a new version
The Clop ransomware gang is employing a new malware type that targets Linux servers, but the encryption mechanism is defective, allowing victims to recover their files for free.
The Linux edition of Clop was discovered in December 2022 by SentinelLabs researcher Antonis Terefos after the threat organisation deployed it in conjunction with the Windows version in an attack against a Colombian institution. Although the Linux version is comparable to the Windows version, with the same encryption mechanism and process logic, there are several variations, primarily in OS API calls and capabilities that have yet to be implemented.
Clop ransomware faults and features
The Linux malware is still in its early stages and lacks sufficient obfuscation and evasive features, rendering it vulnerable to assault. When the malware is launched, it launches a new process that seeks to get greater permissions in order to allow data encryption. The targeted files and folders include the user's personal files in the "/home" directory, the "/root" and "/opt" directories, and the Oracle database folders ("/u01" - "/u04"). The targeting of Oracle database directories is unusual in Linux ransomware encryptors, which often target ESXi virtual machines.
Some functionalities are missing from the Linux variant, including as drive enumeration, command line options, and the exclusion of specific file types and directories from encryption. The encryption mechanism is likewise flawed, with a hardcoded RC4 "master key" used to generate encryption keys as well as encrypt and store the RC4 key locally. The key is not checked, and the RC4 and extra data are saved to the file, making the encryption easily reversible.
SentinelLabs distributed it’s decryptor
Despite its flaws, the use of the Linux variant in actual Clop assaults illustrates the threat actors' desire for having a Linux version, even if it is faulty, to attack Linux computers within target organisations. SentinelLabs has provided its decryptor with law enforcement to assist victims in recovering their files, and it will continue to engage with relevant groups to enhance the economics of the ransomware arena in favour of defenders.