Virus descriptions, 02/08/2023, 10:00 AM
On December 26, researchers from the company SentinelOne noticed the first variant ransomware clop (Cl0p) which targets Linux systems. Clop first appeared in 2019, targeting large companies, financial institutions, schools and critical infrastructure around the world. After the group attacked several major South Korean companies in November 2020, several people associated with the group were arrested in Kiev, Ukraine.
Antonis Terefos, a SentinelOne researcher, explained that the new Linux variant of the ransomware was mainly used to attack educational institutions, but it had bugs that could be exploited to help victims. Researchers have created a decryption tool. They say they haven’t seen any new versions of the ransomware since then, but predict that malware authors will likely try to fix bugs in future versions of the ransomware.
Researchers say the Linux version of the Cl0p ransomware is in the early stages of development, indicating that the authors are still working on it and tweaking the ransomware to target specific victims. Also, some details in the code indicate that the attackers had knowledge of the victims’ environment before launching the attack.
The Linux variant of the ransomware resembles the Windows version, and uses the same encryption method, the report said.
The Windows version allows the ransomware group to extract folders and files that should not be encrypted, but that functionality was not seen in the Linux version. The Linux version encrypts certain folders and all types of files.
“SentinelLabs expects that future versions of the Linux variant will begin to eliminate these differences and that any updated functionality will be applied to both variants simultaneously,” it said in a statement. the report published by SentinelOne.
The Linux version also leaves a ransom note in .txt format, while the Windows version leaves a ransom note in .rtf format.
Terefos says the Linux version of Clop is part of a wider trend among ransomware groups. Hive, Qilin, Snake, Smaug, Qyick and numerous other groups also used Linux variants of their ransomware.
Despite the arrests in June 2021, Clop did not stop working and the development of a Linux version of ransomware should prompt organizations to be prepared for anything, Terefos said.
“Ransomware groups are constantly looking for new targets and methods to maximize their profits.” “Because they are widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims,” said Terefos.
Cover photo: Soumil Kumar, Pexels
