The first Linux version of the Clop ransomware has been discovered, with a flaw in its encryption algorithm that allows it to be decrypted without paying the ransom.

cl0p_elf_3.jpg

Cybersecurity firm SentinelOne discovered the ELF version on 26 December 2022, and found it to be similar to the Windows version.

The Cl0p ransomware gang, also known as Clop, is a cybercrime group that has been active since 2019. In June 2021, six people associated with the gang were arrested following an international law enforcement operation. However, the group staged a comeback in early 2022 and has since claimed dozens of victims across a range of industries.

The Linux version is currently being used in an attack on educational institutions in Colombia, and SentinelOne says it is an early-stage version that lacks some features compared to its Windows counterpart: is designed to target specific folders and file types for encryption, and includes a hard-coded master key for recovery.

clop_decryptor.gif

This is a growing trend of threat actors moving beyond Windows to target other platforms, and the development of this Linux-flavoured ransomware suggests that Linux-targeted ransomware campaigns will increase.


Indicator of Compromise

SHA256/Email/Url
46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5
40b7b386c2c6944a6571c6dcfb23aaae026e8e82
4fa2b95b7cde72ff81554cfbddc31bbf77530d4d
a1a628cca993f9455d22ca2c248ddca7e743683e
a6e940b1bd92864b742fbd5ed9b2ef763d788ea7
ac71b646b0237b487c08478736b58f208a98eebf
ba5c5b5cbd6abdf64131722240703fb585ee8b56
77ea0fd635a37194efc1f3e0f5012a4704992b0e
unlock[@]support-mult.com
unlock[@]rsv-box.com
hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion
hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion