Cl0p Ransomware Targets Linux Systems with Flawed Encryption

The ELF Cl0p variant is developed in a similar logic to the Windows variant, though it contains small differences mostly attributed to OS differences such as API calls.
It appears to be in its initial development phases as some functionalities present in the Windows versions do not currently exist in this new Linux version.

Initially, the ransomware creates a new process by calling fork and exits the parent-process.
The child-process sets its file mode creation mask to any permission (read, write, execute) by calling umask(0).
It then calls setsid, creates a session and sets the process group ID.
It tries to access root by changing the working directory to “/” (chdir(“/”)).
Once the permissions are set, the ransomware proceeds encrypting other directories.

While the Windows versions contain a hashing algorithm in order to avoid encrypting specific folders and files, such functionality was not observed in the Linux variant.
The ELF variant targets specific folders, subfolders and all files/types.

The discovered ELF sample targets files contained in the following directories for encryption, though we do not exclude the possibility of future versions including more directories.

Folder Description
/opt Contains subdirectories for optional software packages
/u01 Oracle Directory, mount point used for the Oracle software only.
/u02 Oracle Directory, used for the database files.
/u03 Oracle Directory, used for the database files.
/u04 Oracle Directory, used for the database files.
/home Contains the home directory of each user.
/root Contains the home directory of the root user.

Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size RC4 key for each file.
This key is then validated (checks if the first five bytes are NULL) and used for file encryption.
Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to $filename.$clop_extension.
Victims who pay the ransom demand receive a decryptor which decrypts the generated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file.

This core functionality is missing in the Linux variant.
Instead, we discovered a flawed ransomware-encryption logic which makes it possible to retrieve the original files without paying for a decryptor.

The Linux variant contains a hardcoded RC4 “master-key” which, during the execution of the main function, is copied into the global variable szKeyKey.

Sample’s RC4 “master-key”:

Jfkdskfku2ir32y7432uroduw8y7318i9018urewfdsZ2Oaifwuieh~~cudsffdsd
During the file encryption phase, the ransomware – similar to the Windows version – generates a 0x75 bytes size RC4 key, with the use of a lookup table and a PRNG byte.
This generated RC4 key is used to encrypt the mappedAddress and write it back to the file.

Then by using the RC4 “master-key” the ransomware encrypts the generated RC4 key and stores it to $filename.$clop_extension.

Cl0p-ELF Decryption Logic:

Retrieve RC4 “master-key”.
Read all $filename.$clop_extension.
Decrypt with RC4 using the RC4 “master-key”, the generated RC4 key.
Decrypt $filename with RC4 using the generated RC4 key.
Write decrypted to $filename.

Sign Up For Threat Alerts

Loading...
Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 21, 2023

Dotrunpex – Demystifying new virtualized .net injector...

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...

Threats Icon

Mar 21, 2023

GlobeImposter Ransomware With MedusaLocker Spreading Via RDP

A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...

Threats Icon

Mar 20, 2023

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...

Threats Icon

Mar 20, 2023

Sirattacker And ALC Ransomware Analysis

The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....

Threats Icon

Mar 19, 2023

Google Advertising Used To Distribute RedLine Stealer

A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...

Threats Icon

Mar 16, 2023

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 15, 2023

US Cert Alert – Threat Actors Exploit...

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully...

Threats Icon

Mar 15, 2023

Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...

Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...

Threats Icon

Mar 13, 2023

Exposing The Lazarus Arsenal WinorDLL64 Backdoor

In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...

Threats Icon

Mar 12, 2023

Clasiopa New Group Targets Materials Research

A campaign targeting the materials research sector with custom and commodity utilities and malware is...

Threats Icon

Mar 09, 2023

New Emotet campaign

Emotet is a type of malware that is designed to steal sensitive information from infected...