Clop ransomware had a rather handy flaw for Linux users to exploit
>
A relatively obscure ransomware (opens in new tab) variant named Clop may stay that way for a bit longer, after it was discovered that there was a Linux version with a rather embarrassing flaw.
The Linux version of the ransomware was first spotted in December 2022 by a SentinelLabs researcher named Antonis Terefos. His analysis determined that the Linux variant is almost identical to the Windows variant, but with a few minor (albeit crucial) differences.
Indeed, Linux users were able to quietly decrypt all affected files and reclaim their endpoints – without paying the criminals anything.
Retrieving the master key
One of those differences is the fact that the Linux version “did not encrypt the RC4 keys used for file encryption with the RSA-based asymmetric algorithm used in the Windows variant.
Unlike the Windows version, the Linux version uses a hard-coded RC4 master key that generates encryption keys and then uses the same ones to encrypt and store files locally. When SentinelLabs found out, they used the flaw to freely retrieve the keys and unencrypt them. The team has now built a Python script to help automate the process, which can be found on GitHub.
But that is not the only major flaw of this ransomware. Apparently, the malware also writes additional data to the encrypted file, such as size and encryption time. Typically, this type of data is obfuscated, as it can help forensic analysts identify important documents. In this case it was not hidden at all.
All of this led the researchers to conclude that the Clop ransomware, at least in its current form, is unlikely to take off as a major threat. Now that the cat is out of the bag, it’s safe to assume that a new version is in the works and could be released soon.
Still, this kind of news is always good, especially for the victims:
“We have shared our findings early with relevant law enforcement and intelligence partners and will continue to work with the relevant organizations to influence the economics of the ransomware space in favor of defenders,” SentinelLabs told BleepingComputer.
Through: Beeping computer (opens in new tab)