Threat Research

Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available

Securonix

SentinelLabs documented the first Linux ELF variant of Cl0p ransomware, which includes a flawed encryption routine that can decrypt files without paying. A free decryptor for this Linux variant was released by SentinelLabs. Hashtags: #Cl0p #Cl0pELF #Linux #SentinelLabs #SentinelOne

Keypoints

  • The first Linux ELF variant of Cl0p ransomware targeting Linux systems was observed by SentinelLabs.
  • The Linux variant uses a flawed encryption logic that allows decryption without a decryptor.
  • SentinelLabs published a free decryptor for the Linux Cl0p-ELF variant.
  • The Linux variant targets specific folders such as /opt, /u01–/u04, /home, and /root for encryption.
  • The ELF variant features a hardcoded RC4 “master-key” and does not include the Windows-style folder/file exclusions or RSA-based key encryption.
  • Ransom notes and attacker contact details are provided in both ELF and Windows variants, with onion-leak pages mentioned for the attackers.

MITRE Techniques

  • [T1543] Create or Modify System Process – Initially, the ransomware creates a new process by calling fork and exits the parent-process. “Initially, the ransomware creates a new process by calling fork and exits the parent-process.”
  • [T1083] File and Directory Discovery – The ransomware uses a recursive search to encrypt matching files starting from folders such as “/opt” and user directories. “find(char *,char const*)” … performs a recursive search from the starting folder until encrypts the “matching” regex files.
  • [T1486] Data Encrypted for Impact – The ELF variant encrypts targeted files across directories using RC4 and writes encrypted data back to files, including the RC4 “master-key” usage. “During the file encryption phase, the ransomware – similar to the Windows version – generates a 0x75 bytes size RC4 key…”

Indicators of Compromise

  • [SHA1] ELF Cl0p – 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5, 40b7b386c2c6944a6571c6dcfb23aaae026e8e82, and 2 more hashes
  • [SHA1] Win Cl0p – 4fa2b95b7cde72ff81554cfbddc31bbf77530d4d, a1a628cca993f9455d22ca2c248ddca7e743683e, and 2 more hashes
  • [SHA1] ELF Cl0p Note – ba5c5b5cbd6abdf64131722240703fb585ee8b56
  • [SHA1] Win Cl0p Note – 77ea0fd635a37194efc1f3e0f5012a4704992b0e
  • [File extension] Cl0p Ransom Extension – .C_I_0P
  • [File name] ELF Ransom Note – README_C_I_0P.TXT
  • [File name] Windows Ransom Note – !_READ_ME.RTF
  • [Email] Cl0p Contact Email – [email protected], [email protected]
  • [URL] Cl0p Onion Leak Page – hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
  • [URL] Cl0p Onion Chat Page – hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd.onion

Read more

Read more: https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint