HQ/EMEAFind out how we can help your business
The notorious Cl0p ransomware group has joined the other malicious threat groups targeting Linux servers. Based on reports, the Linux variant of Cl0p ransomware still has imperfections, enabling researchers to reverse engineer and take it down.
Analysts spotted the Cl0p variant for Linux in December last year after the group utilised it along with its Windows strain during a campaign. Some researchers claimed that the samples were part of a recent cybercriminal operation against the academic institution of Colombia.
The group then added La Salle University as its latest victim last month.
The Linux variant of Cl0p ransomware has shared overlaps with its Windows variant.
The Cl0p ransomware might have used their Windows variant to create their Linux-based malware since both have similar encryption methods and process logic.
Separate analysts spotted a vulnerability in the encryption algorithm after they reverse-engineered the variant’s encryption process. Subsequently, they created a decryptor to unlock the encrypted data.
The data encryption tactic utilised by the ransomware operators in the Linux strain is not as sophisticated as the Windows version. Hence, the researchers have cracked the new strain.
The Linux malware does not leverage an RSA-based asymmetric algorithm to encrypt the RC4 keys like the Windows variant. Furthermore, it uses a hardcoded master key to develop the encryption keys and uses it for generating the RC4 encryption key placed on the local file.
The system did not validate the RC4 key before the encryption started, which allowed the researchers to retrieve the keys and create a decryptor.
The release of the Linux malware variant of the Cl0p ransomware group has allowed these threat actors to join the ranks of other notorious gangs such as Hive, BlackMatter, REvil, and HelloKitty. These groups have started attacking Linux servers after having a stable Windows variant for their operations.
Linux developers will likely pay more attention to improving their servers after the attacks from different threat groups. Cybersecurity experts think more malware strains could join the Linux onslaught as many prominent threat groups attack its servers.
