The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered.
"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.
The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method.
Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.
The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.
However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.
This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.
"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.
The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.
Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,"
