Cl0p Ransomware Targets Linux Systems with Flawed Encryption
The ELF Cl0p variant is developed in a similar logic to the Windows variant, though it contains small differences mostly attributed to OS differences such as API calls. It appears to be in its initial development phases as some functionalities present in the Windows versions do not currently exist in this new Linux version.
Execution Process
Initially, the ransomware creates a new process by calling fork
and exits the parent process. The child process then:
- Sets its file mode creation mask to any permission (read, write, execute) by calling
umask(0)
. - Calls
setsid
, creates a session, and sets the process group ID. - Tries to access root by changing the working directory to
/
usingchdir(“/”)
.
Once the permissions are set, the ransomware proceeds to encrypt directories.
Targeted Directories
Unlike the Windows version, which contains a hashing algorithm to avoid encrypting specific folders and files, this functionality was not observed in the Linux variant. The ELF variant targets specific folders, subfolders, and all file types.
The discovered ELF sample targets the following directories for encryption:
Folder | Description |
---|---|
/opt | Contains subdirectories for optional software packages. |
/u01 | Oracle Directory, mount point used for the Oracle software only. |
/u02 | Oracle Directory, used for the database files. |
/u03 | Oracle Directory, used for the database files. |
/u04 | Oracle Directory, used for the database files. |
/home | Contains the home directory of each user. |
/root | Contains the home directory of the root user. |
Future versions may include additional directories.
Windows vs. Linux Encryption Methods
Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75-byte RC4 key for each file. This key is then:
- Validated (checks if the first five bytes are NULL).
- Used for file encryption.
- Encrypted with an RSA public key and stored as
$filename.$clop_extension
.
Victims who pay the ransom receive a decryptor that:
- Decrypts the Cl0p file using the RSA private key.
- Retrieves the generated RC4 key.
- Uses the RC4 key to decrypt the encrypted file.
However, this core functionality is missing in the Linux variant.
Flawed Encryption Logic in the Linux Variant
The Linux variant contains a hardcoded RC4 "master key", which is copied into the global variable szKeyKey
during execution.
Sample RC4 “master-key”:Jfkdskfku2ir32y7432uroduw8y7318i9018urewfdsZ2Oaifwuieh~~cudsffdsd
During file encryption, the ransomware:
- Generates a 0x75-byte RC4 key using a lookup table and a PRNG byte.
- Uses this generated RC4 key to encrypt the
mappedAddress
and writes it back to the file. - Encrypts the generated RC4 key with the RC4 "master key" and stores it as
$filename.$clop_extension
.
Cl0p-ELF Decryption Logic
Due to the flawed encryption logic, files can be decrypted without paying for a decryptor. The decryption process involves:
- Retrieving the RC4 "master key".
- Reading all
$filename.$clop_extension
files. - Decrypting the generated RC4 key using the RC4 "master key".
- Using the decrypted RC4 key to decrypt
$filename
. - Writing the decrypted content back to
$filename
.