First Linux version of Clop ransomware has flaw in encryption algorithm
The first Linux version of the Clop ransomware has been discovered, with a flaw in its encryption algorithm that allows it to be decrypted without paying the ransom.
Cybersecurity firm SentinelOne discovered the ELF version on 26 December 2022, and found it to be similar to the Windows version.
The Cl0p ransomware gang, also known as Clop, is a cybercrime group that has been active since 2019. In June 2021, six people associated with the gang were arrested following an international law enforcement operation. However, the group staged a comeback in early 2022 and has since claimed dozens of victims across a range of industries.
The Linux version is currently being used in an attack on educational institutions in Colombia, and SentinelOne says it is an early-stage version that lacks some features compared to its Windows counterpart: is designed to target specific folders and file types for encryption, and includes a hard-coded master key for recovery.
This is a growing trend of threat actors moving beyond Windows to target other platforms, and the development of this Linux-flavoured ransomware suggests that Linux-targeted ransomware campaigns will increase.
Indicator of Compromise
| SHA256/Email/Url |
|---|
| 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5 |
| 40b7b386c2c6944a6571c6dcfb23aaae026e8e82 |
| 4fa2b95b7cde72ff81554cfbddc31bbf77530d4d |
| a1a628cca993f9455d22ca2c248ddca7e743683e |
| a6e940b1bd92864b742fbd5ed9b2ef763d788ea7 |
| ac71b646b0237b487c08478736b58f208a98eebf |
| ba5c5b5cbd6abdf64131722240703fb585ee8b56 |
| 77ea0fd635a37194efc1f3e0f5012a4704992b0e |
| unlock[@]support-mult.com |
| unlock[@]rsv-box.com |
| hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion |
| hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion |