First Linux variant of Clop ransomware targeted universities, colleges but was flawed

The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims.

SentinelOne researcher Antonis Terefos said his team observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on December 26. Clop has existed since about 2019, targeting large companies, financial institutions, primary schools and critical infrastructure across the world. After the group targeted several major South Korean companies like e-commerce giant E-Land in November 2020, multiple actors connected to the group were arrested in Kyiv, Ukraine.

Those arrested had laundered more than $500 million from Clop and one other ransomware group.

Terefos explained that the new Linux variant was mostly used to target educational institutions – including a university in Colombia – but had issues that defenders could exploit to help victims. 

“We discovered a flaw in the Linux version of Clop ransomware which enabled us to create a decryptor tool. We have not seen any new versions of the ransomware in the wild. However, we predict that the ransomware authors will likely attempt to fix the flaw in future versions, so organizations should take steps to protect themselves against the ransomware,” Terefos said. 

“We found that the Linux version of the Cl0p ransomware is in an early stage of development, suggesting that the threat actors are still manually operating and tweaking the ransomware to target specific victims. We also noticed that the ransomware had hardcoded victim-specific details, such as file paths for encryption, indicating that the threat actors had knowledge of the victim environment before launching the attack.”

SentinelOne published a report on their findings, explaining that the Linux variant of the ransomware resembled the Windows version, using the same encryption method and process logic.

The researchers noted that the developers likely did not invest much time or resources into improving the obfuscation or evasiveness of the Linux version because many security systems could not detect it.

The Windows version allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version. The Linux version was used to target specific folders and all file types.

“Rather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux payloads. We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant,” Terefos explained.

“SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously.”

The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in .rtf.


A sample of the Clop ransom note.

Terefos noted that the Linux version was part of a larger trend among ransomware groups of creating variants of their strain. Hive, Qilin, Snake, Smaug, Qyick and numerous others have used Linux variants to encrypt victims.

In spite of the June 2021 arrests, Clop has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything, Terefos said. 

“Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” Terefos told The Record. 

“In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.