Linux targeted by Russian-linked ransomware for first time, says cyber watchdog

A new variant of Clop, a notorious strain of ransomware linked to Russia, has been spotted targeting Linux operating systems (OS) for the first time, according to cybersecurity analyst SentinelLabs.

Linux is an OS popular with IT professionals, including administrators, engineers, and system support teams – Clop, on the other hand, is a malicious program believed to be primarily used by Russian and Ukrainian ransom gangs to encrypt files. The latter is commonly done as a prelude to extorting victim organizations desperate to retrieve their vital data.

Sentinel said it first spotted the Linux-attacking variant of Clop on December 24 and that it uses a similar encryption method to the previously observed version that goes after Windows OS. Dubbed the ELF variant, it carries a broad resemblance to the Windows-oriented version of Clop, albeit with notable differences.

“While the Windows versions contain a hashing algorithm in order to avoid encrypting specific folders and files, such functionality was not observed in the Linux variant,” said Sentinel in its report, released on February 7. “The ELF variant targets specific folders, subfolders and all files/types.”

One crucial weakness

However, Sentinel had some good news for rattled Linux users. Whereas the Windows variant works by forcing victims to pay a ransom so they can receive the decryption key required to retrieve their blocked data, the Linux variant carries a glitch that means this obstacle can be bypassed without stumping up any cash.

“Victims who pay the ransom demand receive a decryptor which decrypts the generated Clop file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file,” said Sentinel of the Windows variant.

But it added: “This core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware-encryption logic which makes it possible to retrieve the original files without paying for a decryptor.”

The Linux version features a hardcoded “master key” called RC4 that is used in the encryption process during a cyberattack. However, Sentinel claims it was able to use an algorithm, dubbed the “second RC4,” to decrypt files that had been locked by the ELF variant of Clop.

“Rather than simply port the Windows version of Clop directly, the authors have chosen to build bespoke Linux payloads,” said Sentinel. “We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant.”

Don’t get too complacent

But the cybersecurity watchdog added that it expected future iterations of the ELF variant to gradually eliminate core differences between it and the more established Windows version.

“SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously,” it said.

It added that the advent of the ELF variant was part of a steady trend of proliferating ransomware it had observed over the past year.

“The discovery of an ELF-variant of Clop adds to the growing list of the likes of Hive, Qilin, Snake, Smaug, Qyick, and numerous others,” it said. “While the Linux-flavored variation of Clop is in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.”

Born to the CryptoMix ransomware family, the original version of Clop takes its name after the “.clop” extension it adds to files after encrypting them. This itself is thought to be derived from a Russian word that translates as “bed bug.”

Commonly attributed to Russian-speaking threat actors, Clop was discovered in 2019 and became associated with a slew of high-profile ransomware attacks over the next couple of years.