A gang of extortionists called Clop has been using the same name into its attacks for several months, aimed at Linux servers. However, the error in the encryption scheme allowed the victims for several months to quietly restore their files, and absolutely free.
This version of Clop for Linux was discovered in December 2022 by Antonis Terefos, a researcher from Sentinellabs. The malware was detected after the grouping used it together with a similar option for Windows when attacking one of Columbia universities.
Despite the fact that the versions for Linux and Windows are very similar, since both use the same encryption method and almost identical logic of the process, there are still some differences mainly due to different structures of operating systems.
The malicious Clop program for Linux is still at an early stage of development, since it still does not have proper mechanisms for confusion and evasion from security systems. Also specialists Sentinellabs posted on github .
.
Incommissage in the encryption scheme
In addition to the lack of key protection, Sentinellabs also found that when writing an encrypted key to the file, the malicious program records some additional data. For example, file information such as its size and encryption time. These data should also be hidden because they can be used by specialists to decrypt files.
RC4 recording and additional data to the file
The Clop-MLOP boom for Linux is unlikely to become a widespread threat in its current form. The release of the decoder will probably push its authors to finalize the program and release improved versions with the proper encryption scheme.
Sentinellabs reported that they had already shared their decoder with law enforcement agencies so that they could help the victims of the attack to restore their files.