Clop ransomware had a rather handy flaw for Linux users to exploit
A relatively obscure ransomware (opens in new tab) variant called Clop may stay that way for a bit longer, after it was discovered to have a Linux version that had a rather embarassing flaw.
The Linux version of the ransomware was first spotted in December 2022 by a SentinelLabs researcher named Antonis Terefos. His analysis determined that the Linux variant is almost identical to the Windows one, but with a few small (albeit crucial) differences.
Namely, Linux users were able to quietly decrypt all of the affected files and reclaim their endpoints – without having to pay the criminals anything.
Retrieving the master key
Among those differences is the fact that the Linux version “did not encrypt the RC4 keys used for file encryption with the RSA-based asymmetric algorithm used in the Windows variant.
Unlike the Windows version, the Linux one uses a hardcoded RC4 “master key” which generates encrypting keys, and then uses the same one to encrypt and store files, locally. When SentinelLabs figured it out, they used the flaw to freely retrieve the keys and reverse the encryption. The team has now built a Python script to help automate the process, which can be found on GitHub.
But that’s not the only major flaw this ransomware has. Apparently, the malware also writes extra data to the encrypted file, such as its size and encryption time. Usually, this type of data is obfuscated as it can help forensic analysts identify important documents. In this case, it wasn’t hidden at all.
All of this prompted the researchers to conclude that the Clop ransomware, at least in its current form, is unlikely to take off as a major threat. Now that the cat is out of the bag, it’s safe to assume that a new version is in the works and that it could be released soon.
Still, news like this is always good, especially for the victims:
“We shared our findings early with relevant law enforcement and intelligence partners and will continue to collaborate with the relevant organizations to affect the economics of the ransomware space in favor of defenders,” SentinelLabs told BleepingComputer.
Via: BleepingComputer (opens in new tab)
Audio player loading… A relatively obscure ransomware (opens in new tab) variant called Clop may stay that way for a bit longer, after it was discovered to have a Linux version that had a rather embarassing flaw. The Linux version of the ransomware was first spotted in December 2022 by…
Recent Posts
- Google’s Live Caption may soon become more emotionally expressive on Android
- Doctor Who: Boom review: All hail the conquering hero
- Quordle today – hints and answers for Saturday, May 18 (game #845)
- NYT Strands today — hints, answers and spangram for Saturday, May 18 (game #76)
- Logitech Pro X 60 Keyboard Review: Best, Brightest, and Now Smaller
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011