The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims. SentinelOne said it observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on 26 December 2022. Clop has existed since about 2019, targeting large companies, financial institutions, primary schools and critical infrastructure across the world. After the group targeted several major South Korean companies like e-commerce giant E-Land in November 2020, multiple actors connected to the group were arrested in Kyiv, Ukraine. Those arrested had laundered more than $500 million from Clop and one other ransomware group.[1]
SentinelOne explained that the new Linux variant was mostly used to target educational institutions, including a university in Colombia, but had issues that defenders could exploit to help victims. “We discovered a flaw in the Linux version of Clop ransomware which enabled us to create a decryptor tool. We have not seen any new versions of the ransomware in the wild. However, we predict that the ransomware authors will likely attempt to fix the flaw in future versions, so organizations should take steps to protect themselves against the ransomware,” SentinelOne said. “We found that the Linux version of the Cl0p ransomware is in an early stage of development, suggesting that the threat actors are still manually operating and tweaking the ransomware to target specific victims. We also noticed that the ransomware had hardcoded victim-specific details, such as file paths for encryption, indicating that the threat actors had knowledge of the victim environment before launching the attack.”
SentinelOne published a report on their findings, explaining that the Linux variant of the ransomware resembled the Windows version, using the same encryption method and process logic.[2] The researchers noted that the developers likely did not invest much time or resources into improving the obfuscation or evasiveness of the Linux version because many security systems could not detect it. The Windows version allowed the ransomware group to list out what folders and files should not be encrypted, but that functionality was not seen with the Linux version. The Linux version was used to target specific folders and all file types. “Rather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux payloads. We understand this to be the primary reason for the lack of feature parity between the new Linux version and the far more established Windows variant,” SentinelOne explained. “SentinelLabs expects future versions of the Linux variant to start eliminating those differences and for each updated functionality to be applied in both variants simultaneously.”
The Linux version also leaves the ransom note in a .txt format while the Windows version leaves the ransom note in .rtf.
A SAMPLE OF THE CLOP RANSOM NOTE.
SentinelOne noted that the Linux version was part of a larger trend among ransomware groups of creating variants of their strain.
Hive, Qilin, Snake, Smaug, Qyick and numerous others have used Linux variants to encrypt victims. In spite of the June 2021 arrests, Clop has not stopped operating and the development of a Linux version should prompt defenders to be ready for anything, SentinelOne said. “Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” SentinelOne said. “In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets.”
From SentinalOne: Over the last twelve months or so we have continued to observe the increased targeting of multiple platforms by individual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of the likes of Hive, Qilin, Snake, Smaug, Qyick and numerous others.
We know that Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.
SentinelLabs continues to monitor the activity associated with Cl0p. SentinelOne Singularity protects against malicious artifacts and behaviors associated with Cl0p attacks including the ELF variant described in this post.
Indicators of Compromise
|
IOC Type |
IOC Value |
|
SHA1 ELF Cl0p |
46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5 |
|
SHA1 Win Cl0p |
40b7b386c2c6944a6571c6dcfb23aaae026e8e82 |
|
SHA1 Win Cl0p |
4fa2b95b7cde72ff81554cfbddc31bbf77530d4d |
|
SHA1 Win Cl0p |
a1a628cca993f9455d22ca2c248ddca7e743683e |
|
SHA1 Win Cl0p |
a6e940b1bd92864b742fbd5ed9b2ef763d788ea7 |
|
SHA1 Win Cl0p |
ac71b646b0237b487c08478736b58f208a98eebf |
|
SHA1 ELF Cl0p Note |
ba5c5b5cbd6abdf64131722240703fb585ee8b56 |
|
SHA1 Win Cl0p Note |
77ea0fd635a37194efc1f3e0f5012a4704992b0e |
|
ELF Ransom Note |
README_C_I_0P.TXT |
|
Win Ransom Note |
!_READ_ME.RTF |
|
Cl0p Ransom Extension |
.C_I_0P |
|
Cl0p Contact Email |
unlock[@]support-mult.com |
|
Cl0p Contact Email |
unlock[@]rsv-box.com |
|
Cl0p Onion Leak Page |
hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion |
|
Cl0p Onion Chat Page |
hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion |
YARA Rule
rule ClopELF
{
meta:
author = "@Tera0017/@SentinelLabs"
description = "Temp Clop ELF variant yara rule based on $hash"
reference = "https://s1.ai/Clop-ELF”
hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef"
strings:
$code1 = {C7 45 ?? 00 E1 F5 05}
$code2 = {81 7D ?? 00 E1 F5 05}
$code3 = {C7 44 24 ?? 75 00 00 00}
$code4 = {C7 44 24 ?? 80 01 00 00}
$code5 = {C7 00 2E [3] C7 40 04}
$code6 = {25 00 F0 00 00 3D 00 40 00 00}
$code7 = {C7 44 24 04 [4] C7 04 24 [4] E8 [4] C7 04 24 FF FF FF FF E8 [4] C9 C3}
condition:
uint32(0) == 0x464c457f and all of them
}
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/
[2] https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/
Comments