The Clop Ransomware Vulnerability Enabled Linux Users to Retrieve Their Files for an Extended Period of Time

The Clop ransomware gang has recently been spotted using a malware variant that is specifically designed to target Linux servers. However, a flaw in the encryption scheme has allowed victims to recover their files without paying the criminals any money for months. This new Linux version of Clop was discovered in December 2022 by a researcher at SentinelLabs, after the threat group used it in an attack against a university in Colombia. Although the Windows and Linux versions of Clop are very similar, there are some differences, mainly related to OS API calls and features that have yet to be implemented in the Linux variant. The Linux malware is still in its early stages, as it lacks proper obfuscation and evasiveness mechanisms, and it is also vulnerable to being decrypted. The Linux executable of Clop ransomware creates a new process upon launch, which attempts to elevate permissions to a level that would allow data encryption. It targets the users /home directory, /root directory, /opt, and Oracle directories. It also lacks support for the hashing algorithm used by the Windows version to exclude certain file types and folders from encryption. In addition, the Linux version does not encrypt the RC4 keys used for file encryption with the RSA-based asymmetric algorithm used in the Windows variant. Instead, it uses a hardcoded RC4 Master key to generate the encrypting keys and then uses the same key to encrypt it and store it locally on the file. This weak scheme does not protect the keys from being freely retrieved and the encryption from being reversed. SentinelLabs has shared their decryptor with law enforcement, so they can help victims recover their files. Despite its weaknesses, the use of the Linux variant in actual Clop attacks shows that, for the threat actors, having a Linux version, even one that is easy to compromise, is still preferable to not being able to attack Linux systems within the target organizations.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 07 Feb 2023 11:19:03 +0000


Cyber News related to The Clop Ransomware Vulnerability Enabled Linux Users to Retrieve Their Files for an Extended Period of Time

CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
The Clop Ransomware Vulnerability Enabled Linux Users to Retrieve Their Files for an Extended Period of Time - The Clop ransomware gang has recently been spotted using a malware variant that is specifically designed to target Linux servers. However, a flaw in the encryption scheme has allowed victims to recover their files without paying the criminals any ...
1 year ago Bleepingcomputer.com
A version of the Clop ransomware designed for Linux systems was aimed at universities and colleges but had flaws - On December 26, researchers observed the first Clop ransomware variant targeting Linux systems. Clop has been around since 2019, attacking large companies, financial institutions, primary schools, and critical infrastructure around the world. After ...
1 year ago Therecord.media
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
8 months ago Cisa.gov
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
10 months ago Securityboulevard.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
11 months ago Helpnetsecurity.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
10 months ago Unit42.paloaltonetworks.com
Top 10 Notorious Ransomware Gangs of 2023 - By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace. Here below, we have mentioned all the types of ransomware used by the threat actors ...
11 months ago Cybersecuritynews.com
Cisco Talos Report: New Trends in Ransomware, Network Infrastructure Attacks, Commodity Loader Malware - The Cisco Talos Year in Review report released Tuesday highlights new trends in the cybersecurity threat landscape. We'll focus on three topics covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and commodity loader ...
11 months ago Techrepublic.com
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
2 months ago Securelist.com
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
1 year ago Bleepingcomputer.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
10 months ago Feeds.fortinet.com
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
10 months ago Techrepublic.com
The Evolving Landscape of Ransomware Attacks - 1.7 million ransomware attacks are happening every day. Many people think the virus has locked their computer, but it is actually the ransomware that has locked all their files. As the name ransomware suggests they are after ransom. Stealing or ...
11 months ago Cyberdefensemagazine.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
8 months ago Bleepingcomputer.com
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
9 months ago Securityboulevard.com
Ransomware Roundup - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the ...
8 months ago Feeds.fortinet.com
6 Ransomware Trends & Evolutions For 2023 - More than any other industry, cybersecurity is constantly changing. The number of major paradigm shifts that have transformed the world of cybersecurity in the past few years has been unprecedented, especially when it comes to combating ransomware. ...
1 year ago Trendmicro.com
Adobe Real-Time CDP: Personalized Customer Experience - Adobe Experience Cloud Products like Adobe Real-Time CDP are available to assist. A revolutionary solution called Adobe Real-Time Customer Data Platform was created to assist companies in realizing the whole value of their customer data. Adobe ...
11 months ago Hackread.com
Ransomware review: January 2024 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. February didn't ...
8 months ago Malwarebytes.com
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
11 months ago Bleepingcomputer.com
The Evolution of Ransomware 4 Types of Cyber Threats in 2023 - Security professionals and CISOs have been protecting their organizations from ransomware for a long time, adapting to changes in technology to protect against the risks of stolen data or disruptions to important systems. Cybercriminals are always ...
1 year ago Trendmicro.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)