The Clop ransomware gang has recently been spotted using a malware variant that is specifically designed to target Linux servers. However, a flaw in the encryption scheme has allowed victims to recover their files without paying the criminals any money for months. This new Linux version of Clop was discovered in December 2022 by a researcher at SentinelLabs, after the threat group used it in an attack against a university in Colombia. Although the Windows and Linux versions of Clop are very similar, there are some differences, mainly related to OS API calls and features that have yet to be implemented in the Linux variant. The Linux malware is still in its early stages, as it lacks proper obfuscation and evasiveness mechanisms, and it is also vulnerable to being decrypted. The Linux executable of Clop ransomware creates a new process upon launch, which attempts to elevate permissions to a level that would allow data encryption. It targets the users /home directory, /root directory, /opt, and Oracle directories. It also lacks support for the hashing algorithm used by the Windows version to exclude certain file types and folders from encryption. In addition, the Linux version does not encrypt the RC4 keys used for file encryption with the RSA-based asymmetric algorithm used in the Windows variant. Instead, it uses a hardcoded RC4 Master key to generate the encrypting keys and then uses the same key to encrypt it and store it locally on the file. This weak scheme does not protect the keys from being freely retrieved and the encryption from being reversed. SentinelLabs has shared their decryptor with law enforcement, so they can help victims recover their files. Despite its weaknesses, the use of the Linux variant in actual Clop attacks shows that, for the threat actors, having a Linux version, even one that is easy to compromise, is still preferable to not being able to attack Linux systems within the target organizations.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 07 Feb 2023 11:19:03 +0000