New Cl0p ransomware variant targets Linux systems, leverages unreliable encryption algorithm

SentinelLabs announced Tuesday that it has identified ‘the first’ Linux variant of Cl0p ransomware group. Investigation has identified that the ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.

Antonis Terefos wrote in a company blog post that SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on Dec. 26. “The new variant is similar to the Windows variant, using the same encryption method and similar process logic. The mentioned sample appears to be part of a bigger attack that possibly occurred around the 24th of December against a University in Colombia.” 

He added that on Jan. 5, the cybercrime group leaked victims’ data on their onion page. On the same day, the U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) confirmed that it is aware of attacks on the health and public health (HPH) sector by the Clop ransomware hacker group. The disclosure comes a few months after the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire.

The ELF Cl0p variant is developed in a similar logic to the Windows variant, though it contains small differences mostly attributed to OS differences such as API calls, according to Terefos. “It appears to be in its initial development phases as some functionalities present in the Windows versions do not currently exist in this new Linux version. A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal,” he added.

“Over the last twelve months or so we have continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of Hive, Qilin, Snake, Smaug, Qyick and numerous others,” Terefos wrote. 

He added, “we know that Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.”

Terefos said that the ransomware initially creates a new process by calling fork and exiting the parent process. “The child-process sets its file mode creation mask to any permission (read, write, execute) by calling umask(0). It then calls setsid, creates a session, and sets the process group ID. It tries to access root by changing the working directory to “/” (chdir(“/”)). Once the permissions are set, the ransomware proceeds encrypting other directories,” he added.

SentinelLabs identified that the Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size RC4 key for each file. “This key is then validated (checks if the first five bytes are NULL) and used for file encryption. Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to ‘$filename.$clop_extension.’ Victims who pay the ransom demand receive a decryptor which decrypts the generated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file,” the post added.

Terefos highlighted that this core functionality is missing in the Linux variant. “Instead, we discovered a flawed ransomware-encryption logic which makes it possible to retrieve the original files without paying for a decryptor. The Linux variant contains a hardcoded RC4 ‘master-key’ which, during the execution of the main function, is copied into the global variable szKeyKey,” he added.

During the file encryption phase, the ransomware – similar to the Windows version – generates a 0x75 bytes size RC4 key, with the use of a lookup table and a PRNG byte, Terefos revealed. “This generated RC4 key is used to encrypt the mappedAddress and write it back to the file. Then by using the RC4 ‘master-key’ the ransomware encrypts the generated RC4 key and stores it to $filename.$clop_extension. By using a symmetric algorithm (second RC4) to ‘encrypt’ the file’s RC4 key, we were able to take advantage of this flaw and decrypt Cl0p-ELF encrypted files.”

The flaw is said to provide some information regarding the file before encryption. This includes file ‘fstat64’ result, such as total size, in bytes, file size (st_size); time of last status change, exact time of file encryption (st_ctime); and forensics information regarding the file before the encryption. It also covers the size of the buffer for file encryption (with check of >= 0x5f5e100 ), RC4 ‘master-key size, and RC4 PRNG key size. 

In December, SentinelLabs disclosed that the Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions, dubbed ‘PolyVice,’ which implements an encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. It is also likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.