Security researchers have observed the prolific Clop ransomware operation targeting Linux systems for the first time. The good news is that the flawed encryption used by the new variant means it’s possible for victims to recover their stolen files for free.
The new Linux variant of the Clop ransomware was uncovered and detailed by SentinelLabs researcher Antonis Terefos. In a blog post, Terefos said he first observed the file-encrypting malware targeting Linux systems on December 26 after the ransomware gang used the new malware to target a university in Colombia, which was added to Clop’s dark web leak site in January. Clop’s leak site, which remains active, currently lists Columbia’s La Salle University among its most recent victims, alongside U.K. water supplier South Staffordshire Water.
Terefos notes that the new Linux variant is similar to the Windows version, using the same encryption method and similar process logic, but contains several flaws, including a defective ransomware encryption logic which makes it possible to unscramble the original files without paying a ransom demand. As such, SentinelLabs built a free file decryption tool available for Clop victims, which the company tells TechCrunch it has also shared with law enforcement.
Terefos said some of the flaws exist because the Clop hackers decided to build a bespoke Linux variant of the ransomware rather than porting over the Windows version, but warned of more Linux-targeting ransomware to come.
“While the Linux-flavored variation of Clop is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward,” said Terefos.
TechCrunch has asked SentinelLabs how many Clop infections it observed, and will update if we hear back.
The Russia-speaking Clop ransomware gang has been active since 2019 but appeared to suffer a major setback in 2021 when six individuals affiliated with the gang were arrested following an international law enforcement operation codenamed Operation Cyclone. Ukrainian police also said at the time it successfully shut down the server infrastructure used by the gang. But Clop continued to claim new victims, including a farm equipment retailer and an architect’s office, just weeks after the police raids.
The gang made more of a comeback in 2022, with Clop adding 21 victims to its dark web leak site in just one month alone.
“The increase in Clop’s activity seems to suggest they have returned to the threat landscape,” said Matt Hull, global lead for strategic threat intelligence at NCC Group. “Organizations within Clop’s most targeted sectors — notably industrials and technology — should consider the threat this ransomware group presents and be prepared for it.”