Researchers have discovered a nascent Linux variant of the Cl0p ransomware, which has been used in a small number of attacks, including one against a university in Colombia in December. However, the new variant has a flaw in its encryption routine that has enabled the researchers to develop a decryption tool to recover files affected by it.
The Linux variant of Cl0p surfaced in December and it has s number of similarities to the common Windows version, but it is not identical. While both versions have the same encryption method and similar process logics, the ELF variant looks to be in the initial phase of development and contains a mistake in the file encryption process. The Windows version uses a process that creates an RC4 encryption key for each victim.
“Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size RC4 key for each file. This key is then validated (checks if the first five bytes are NULL) and used for file encryption. Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to $filename.$clop_extension. Victims who pay the ransom demand receive a decryptor which decrypts the generated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file,” Antonis Terefos of SentinelLabs wrote in an analysis.
The Linux version of Cl0p, however, uses a hardcoded RC4 encryption master key. This enabled the researchers to devise a decryption tool.
“During the file encryption phase, the ransomware - similar to the Windows version - generates a 0x75 bytes size RC4 key, with the use of a lookup table and a PRNG byte. This generated RC4 key is used to encrypt the mappedAddress and write it back to the file. Then by using the RC4 "master-key" the ransomware encrypts the generated RC4 key and stores it to $filename.$clop_extension. By using a symmetric algorithm (second RC4) to "encrypt" the file’s RC4 key, we were able to take advantage of this flaw and decrypt Cl0p-ELF encrypted files,” Terefos said.
The Cl0p ransomware emerged several years ago and has been associated with the TA505 cybercrime group and has been blamed for losses of more than $500 million. In 2021, authorities from the United States, Ukraine, and South Korea conducted searches and raids in several locations and arrested six alleged members of the Cl0p operation. But that did not have much effect on Cl0p’s operation, which has continued.
The December 2022 incident that brought the Linux variant of Cl0p to researchers’ attention was an attack on the University of LaSalle in Colombia, which resulted in some of the school's sensitive data being leaked online.
Though the Windows and Linux variants share quite a bit of functionality, there are some differences, aside from the master encryption key. In the Linux variant, Cl0p does not have any function that excludes specific files, folders, or extensions from encryption. Cl0p is not the first ransomware family to target Linux systems, as Hive and Snake, among others, have done so in the past. But Linux ransomware is still relatively new.
“We know that Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” Terefos said.