A newly identified variant of the Clop ransomware has emerged, specifically targeting Linux systems. Discovered actively exploiting vulnerabilities, this version utilizes a flawed encryption algorithm, enabling the recovery of encrypted files without the need to pay the associated ransom.

According to SentinelOne researcher Antonis Terefos, the ELF executable associated with this variant has significant weaknesses in its encryption process. In a report shared with The Hacker News, Terefos noted, “The flawed encryption algorithm makes it possible to decrypt locked files without paying the ransom.” This development reveals a unique opportunity for businesses to potentially recover from attacks that might otherwise seem devastating.

The cybersecurity firm has since released a decryptor tool to assist affected organizations. Notably, the first detection of the ELF variant occurred on December 26, 2022, with observations indicating it mirrors the encryption tactics used in its Windows counterpart.

This attack is particularly concerning as it is part of a broader campaign targeting educational institutions in Colombia, including La Salle University, inadvertently showcased when this university was listed on the cybercriminal group’s leak site in early January 2023. This highlights the expanding attack surface for ransomware operators, extending beyond traditional corporate environments.

The Clop ransomware operation, known for its activities since 2019, suffered a significant setback in June 2021 when law enforcement apprehended several of its members during an international operation termed Operation Cyclone. However, the group made a notable resurgence in early 2022, executing a series of attacks across various sectors.

SentinelOne characterizes the Linux variant as an early iteration of the ransomware, pointing out that several functionalities seen in previous Windows versions are currently absent. This lack of feature parity may stem from a deliberate decision by malware developers to create a distinct Linux payload, as opposed to merely converting the existing Windows version.

Interestingly, Terefos also suggested that the lack of detection by security engines may have influenced the development pace of this variant. With the Linux ransomware still undetected by all 64 security engines on VirusTotal, there may be less urgency for the authors to enhance its obfuscation and evasion capabilities.

This Linux version targets specific folders and file types for encryption, featuring a hard-coded master key that allows potential recovery of original files without engaging with the threat actors. The emergence of ransomware targeting Linux systems is part of a worrying trend, suggesting that cybercriminals are expanding their reach beyond Windows, which has traditionally been their primary focus.

Terefos warns that while the current Linux variant of Clop may be in its infancy, its evolution, alongside the broad adoption of Linux in cloud environments and servers, indicates that businesses should anticipate more ransomware campaigns aimed at Linux platforms in the future. Awareness and proactive measures are essential for maintaining cybersecurity in this evolving landscape.