Cl0p Ransomware Targets Linux Systems with Flawed Encryption

February 8, 2023

The ELF Cl0p variant is developed in a similar logic to the Windows variant, though it contains small differences mostly attributed to OS differences such as API calls. It appears to be in its initial development phases as some functionalities present in the Windows versions do not currently exist in this new Linux version.

Execution Process

Initially, the ransomware creates a new process by calling fork and exits the parent process. The child process then:

  • Sets its file mode creation mask to any permission (read, write, execute) by calling umask(0).
  • Calls setsid, creates a session, and sets the process group ID.
  • Tries to access root by changing the working directory to / using chdir(“/”).

Once the permissions are set, the ransomware proceeds to encrypt directories.

Targeted Directories

Unlike the Windows version, which contains a hashing algorithm to avoid encrypting specific folders and files, this functionality was not observed in the Linux variant. The ELF variant targets specific folders, subfolders, and all file types.

The discovered ELF sample targets the following directories for encryption:

FolderDescription
/optContains subdirectories for optional software packages.
/u01Oracle Directory, mount point used for the Oracle software only.
/u02Oracle Directory, used for the database files.
/u03Oracle Directory, used for the database files.
/u04Oracle Directory, used for the database files.
/homeContains the home directory of each user.
/rootContains the home directory of the root user.

Future versions may include additional directories.

Windows vs. Linux Encryption Methods

Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75-byte RC4 key for each file. This key is then:

  1. Validated (checks if the first five bytes are NULL).
  2. Used for file encryption.
  3. Encrypted with an RSA public key and stored as $filename.$clop_extension.

Victims who pay the ransom receive a decryptor that:

  • Decrypts the Cl0p file using the RSA private key.
  • Retrieves the generated RC4 key.
  • Uses the RC4 key to decrypt the encrypted file.

However, this core functionality is missing in the Linux variant.

Flawed Encryption Logic in the Linux Variant

The Linux variant contains a hardcoded RC4 "master key", which is copied into the global variable szKeyKey during execution.

Sample RC4 “master-key”:
Jfkdskfku2ir32y7432uroduw8y7318i9018urewfdsZ2Oaifwuieh~~cudsffdsd

During file encryption, the ransomware:

  1. Generates a 0x75-byte RC4 key using a lookup table and a PRNG byte.
  2. Uses this generated RC4 key to encrypt the mappedAddress and writes it back to the file.
  3. Encrypts the generated RC4 key with the RC4 "master key" and stores it as $filename.$clop_extension.

Cl0p-ELF Decryption Logic

Due to the flawed encryption logic, files can be decrypted without paying for a decryptor. The decryption process involves:

  1. Retrieving the RC4 "master key".
  2. Reading all $filename.$clop_extension files.
  3. Decrypting the generated RC4 key using the RC4 "master key".
  4. Using the decrypted RC4 key to decrypt $filename.
  5. Writing the decrypted content back to $filename.