Clop Ransomware Releases a Flawed Linux Encryptor
Clop Ransomware Releases a Flawed Linux Encryptor
A Linux variant of the Clop ransomware encryptor was spotted in the wild however, a flaw was identified in the program to reverse the encryption. SentinelLabs discovered the Linux variant on December 26th, 2022, using the encryption method as its Windows counterpart. The Clop Linux variant seems to be in its development stage since it contains an encryption flaw and missing features for obfuscation, evasion, and drive enumeration. A key flaw found in the Linux encryptor was the use of a hardcoded RC4 "master key" which produces the encrypting keys but is also the same key used to encrypt itself and is stored locally on the host. As analyzed by SentinelLabs, "using the RC4 “master-key” the ransomware encrypts the generated RC4 key and stores it to $filename.$clop_extension. By using a symmetric algorithm (second RC4) to “encrypt” the file’s RC4 key, we were able to take advantage of this flaw and decrypt Cl0p-ELF encrypted files." Despite being incomplete the threat actors still deployed the malware in the wild, with confidence given a low detection in VirusTotal, only 8/63 as of February 7th, 2023. The malware is suspected to have been deployed as part of an attack against a Colombian university. While the flaw may exist now, Clop operators will undoubtedly fine-tune their encryptor in future deployments.