A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.
The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.
Researchers from SentinelOne’s SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.
SentinelOne’s analysis showed Clop’s Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows’ versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.
Significantly, SentinelOne’s researchers found the encryption logic in the Linux variant to be flawed. “The issue boils down to a couple of key differences between the Windows and Linux variants,” says Antonis Terefos, threat intelligence researcher at SentinelOne.
The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. “The flaw allows for the simple extraction or discovery of what the RC4 ‘master key’ is for a given sample,” he notes, adding that SentinelOne has released a free decryptor for the variant.
The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.
Other Differences Between Windows & Linux Clop Versions
SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: “Therefore, there is no need to ‘exclude’ unwanted locations.”
The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.
Mounting Attacker Interest in Linux Malware
Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, “we are seeing many more ransomware groups targeting Linux systems.”
The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.
Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore.
“Linux and cloud devices offer a rich pool of potential victims,” Terefos says. “In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks.”
The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. “We’ve seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups.”