Cl0p and Higher .edu

10960601287?profile=RESIZE_400xThe first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims.  SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022.  Clop has existed since about 2019, targeting large companiesfinancial institutionsprimary schools and critical infrastructure across the world. After the group targeted several major South Korean companies like e-commerce giant E-Land in November 2020, multiple actors connected to the group were arrested in Kyiv, Ukraine.  Those arrested had laundered more than $500 million from Clop and one other ransomware group.[1] 

SentinelOne explained that the new Linux variant was mostly used to target educational institutions, including a university in Colombia, but had issues that defenders could exploit to help victims.  “We discovered a flaw in the Linux version of Clop ransomware which enabled us to create a decryptor tool.  We have not seen any new versions of the ransomware in the wild.  However, we predict that the ransomware authors will likely attempt to fix the flaw in future versions, so organizations should take steps to protect themselves against the ransomware,” SentinelOne said.  “We found that the Linux version of the Cl0p ransomware is in an early stage of development, suggesting that the threat actors are still manually operating and tweaking the ransomware to target specific victims.  We also noticed that the ransomware had hardcoded victim-specific details, such as file paths for encryption, indicating that the threat actors had knowledge of the victim environment before launching the attack.”

SentinelOne published a report on their findings, explaining that the Linux variant of the ransomware resembled the Windows version, using the same encryption method and process logic.[2]  The researchers noted that the developers likely did not invest much time or resources into improving the obfuscation or evasiveness of the Linux version because many security systems could not detect it.  The Windows version allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version.  The Linux version was used to target specific folders and all file types.  “Rather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux payloads.  We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant,” SentinelOne explained.  “SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously.”

The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in .rtf.

10960600700?profile=RESIZE_584xA SAMPLE OF THE CLOP RANSOM NOTE.

SentinelOne noted that the Linux version was part of a larger trend among ransomware groups of creating variants of their strain.

Hive, Qilin, Snake, Smaug, Qyick and numerous others have used Linux variants to encrypt victims.  In spite of the June 2021 arrests, Clop has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything, SentinelOne said.  “Ransomware groups are constantly seeking new targets and methods to maximize their profits.  Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” SentinelOne said.  “In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.”

From SentinalOne: Over the last twelve months or so we have continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants.  The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of HiveQilinSnakeSmaugQyick and numerous others.

We know that Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.

SentinelLabs continues to monitor the activity associated with Cl0p. SentinelOne Singularity protects against malicious artifacts and behaviors associated with Cl0p attacks including the ELF variant described in this post.

Indicators of Compromise

IOC Type

IOC Value

SHA1 ELF Cl0p

46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5

SHA1 Win Cl0p

40b7b386c2c6944a6571c6dcfb23aaae026e8e82

SHA1 Win Cl0p

4fa2b95b7cde72ff81554cfbddc31bbf77530d4d

SHA1 Win Cl0p

a1a628cca993f9455d22ca2c248ddca7e743683e

SHA1 Win Cl0p

a6e940b1bd92864b742fbd5ed9b2ef763d788ea7

SHA1 Win Cl0p

ac71b646b0237b487c08478736b58f208a98eebf

SHA1 ELF Cl0p Note

ba5c5b5cbd6abdf64131722240703fb585ee8b56

SHA1 Win Cl0p Note

77ea0fd635a37194efc1f3e0f5012a4704992b0e

ELF Ransom Note

README_C_I_0P.TXT

Win Ransom Note

!_READ_ME.RTF

Cl0p Ransom Extension

.C_I_0P

Cl0p Contact Email

unlock[@]support-mult.com

Cl0p Contact Email

unlock[@]rsv-box.com

Cl0p Onion Leak Page

hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion

Cl0p Onion Chat Page

hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion

YARA Rule

rule ClopELF

{

    meta:

        author = "@Tera0017/@SentinelLabs"

        description = "Temp Clop ELF variant yara rule based on $hash"

        reference = "https://s1.ai/Clop-ELF”

        hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef"

    strings:

        $code1 = {C7 45 ?? 00 E1 F5 05}

        $code2 = {81 7D ?? 00 E1 F5 05}

        $code3 = {C7 44 24 ?? 75 00 00 00}

        $code4 = {C7 44 24 ?? 80 01 00 00}

        $code5 = {C7 00 2E [3] C7 40 04}

        $code6 = {25 00 F0 00 00 3D 00 40 00 00}

        $code7 = {C7 44 24 04 [4] C7 04 24 [4] E8 [4] C7 04 24 FF FF FF FF E8 [4] C9 C3}

    condition:

        uint32(0) == 0x464c457f and all of them

}

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com              

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

[1] https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/

[2] https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!