Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Cl0p ransomware targets Linux systems with flawed encryption - Decryptor available

February 2023 by SentinelLabs

First Linux variant of Cl0p ransomware

SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware targeting Linux systems on the 26th of December 2022. The new variant is similar to the Windows variant, using the same encryption method and similar process logic, though it contains small differences mostly attributed to OS differences such as API calls. It appears to be in its initial development phases as some functionalities present in the Windows versions do not currently exist in this new Linux version.

The mentioned sample appears to be part of a bigger attack that possibly occurred around the 24th of December against a University in Colombia. On the 5th of January the cybercrime group leaked victim’s data on their onion page.

The ELF executable contains a flawed encryption algorithm, making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for the variant.

Ransomware groups show no signs of slowing down

Over the last twelve months or so, SentinelLabs has continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of Hive, Qilin, Snake, Smaug, Qyick and numerous others.

Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the Linux-flavoured variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.

SentinelLabs continues to monitor the activity associated with Cl0p.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts