Relatively unknown ransomware (opens in a new tab) a variant called Clop may stay in this state a bit longer after it was discovered to have a Linux version that had a rather embarrassing flaw.
The Linux version of the ransomware was first detected in December 2022 by SentinelLabs researcher Antonis Terefos. His analysis showed that the Linux variant is almost identical to Windows, but with a few small (albeit crucial) differences.
Namely, Linux users were able to silently decrypt all infected files and recover their endpoints – without having to pay the criminals anything.
Master key recovery
Among these differences is the fact that the Linux version “did not encrypt the RC4 keys used to encrypt files with the RSA-based asymmetric algorithm used in the Windows variant.
Unlike the Windows version, the Linux version uses a hard-coded RC4 “master key” that generates encryption keys and then uses the same to encrypt and store files locally. When SentinelLabs discovered this, they used the vulnerability to freely recover the keys and reverse the encryption. The team has now built a Python script to help automate the process, which can be found on GitHub.
But this is not the only serious drawback of this ransomware. Apparently, the malware also saves additional data in the encrypted file, such as its size and encryption time. Usually this type of data is obfuscated because it can help forensic analysts identify important documents. In this case, it wasn’t hidden at all.
All of this led the researchers to conclude that the Clop ransomware, at least in its current form, is unlikely to become a major threat. Now that the cat is out of the bag, it’s safe to assume that a new version is in the works and may be released soon.
Still, such news is always good, especially for victims:
“We shared our findings early with relevant law enforcement and intelligence partners and will continue to work with relevant organizations to influence the economy of the ransomware space in favor of defenders,” SentinelLabs told BleepingComputer.
By: Beeping Computer (opens in a new tab)