Cl0p, a prominent ransomware that survived a crackdown attempt in mid-2021, is again making a buzz in cyberspace with its activities. The developers of this Windows-based malware have introduced a new variant that targets Linux servers. The variant, however, had multiple shortcomings, allowing researchers to reverse engineer and neutralize the malware.
Cl0p gets Linux(ed)
According to SentinelLabs researchers, the Linux variant of Cl0p was first detected on December 26, 2022, after it was used together with its Windows variant during an attack.
The samples are believed to be a part of a recent attack campaign on educational institutions in Colombia. Cl0p had added La Salle University as its victim in early January.
The Linux and Windows variants share similarities in encryption methods and process logic. However, several key differences in the functionalities have been observed, indicating that this malware is still under development.
Moreover, researchers identified a flaw in the encryption algorithm, after which they reverse-engineered the encryption process and developed a decrypter to unlock the encrypted files without paying the ransom.
Windows vs Linux variants
Owing to several noticeable differences, it is believed that instead of porting the Windows variant of malware to the Linux platform, the attackers chose to build the payload separately.
The Windows variant uses a hashing algorithm to exclude specific folders and files from encryption. Instead of using such a method for exclusion, the Linux variant is designed to target only a specific list of files and folders.
The file encryption process in the Windows variant differs with file size. Small files are ignored, while separate Windows APIs are used for mid-sized files and large-sized files. Linux variant uses the same encryption method for files of all sizes.
Differences were identified in the enumeration of hard drives, RC4 Key encryption, command line parameters, and the way ransom notes are stored on the victim machine.
A noticeable flaw
The data encryption method used in the Linux variant is not as robust as the Windows variant, which led to the discovery of a flaw.
The malware does not use an RSA-based asymmetric algorithm to encrypt the RC4 keys (used for file encryption) as in the Windows variant.
It uses a hardcoded master key to generate the encryption keys and uses that key for generating the RC4 encryption key that is stored locally on the file.
This RC4 key is never validated before starting the encryption process. This allowed researchers to retrieve the keys and thus develop a decryptor.
Ending notes
With the release of the Linux variant, Cl0p has joined the long list of malware, including Hive, HelloKitty, REvil, and BlackMatter, which have switched to this platform after having a stable Windows variant. After the discovery of this flaw in an already under-development malware, it is highly likely that its developers will put more effort into improving it further. Moreover, experts believe that more malware could be joining this trend of shifting to Linux going forward.