On December 26, researchers observed the first Clop ransomware variant targeting Linux systems. Clop has been around since 2019, attacking large companies, financial institutions, primary schools, and critical infrastructure around the world. After the group targeted several major South Korean companies in November 2020, several people connected to the group were arrested in Kyiv, Ukraine. These people had laundered more than $500 million from Clop and another ransomware group. The Linux variant of Clop was mainly used to target educational institutions, but it had issues that defenders could exploit to help victims. This allowed researchers to create a decryptor tool. The Linux version of Clop was in an early stage of development, suggesting that the threat actors were still manually operating and tweaking the ransomware to target specific victims. The Windows version of Clop allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version. The Linux version was used to target specific folders and all file types. The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in . SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously. Ransomware groups are constantly looking for new targets and methods to maximize their profits. Linux and cloud devices are widely used in enterprise environments, making them attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.
This Cyber News was published on therecord.media. Publication date: Wed, 08 Feb 2023 17:14:02 +0000