A recently discovered variant in the prolific Clop family of ransomware has some good and some bad news for security teams. The good news is that the malware is flawed, and victims are relatively easy to decrypt any data that it has encrypted, without having to first pay a ransom to get a decryption key.
Faulty Encryption
Researchers with SentinelOnes Sentinel-Labs Threat Hunting Team observed a recent Clop variant targeting Linux systems at a Colombian university.
The samples that the firm analysed showed that the Linux code had a similar logic as its more damaging Windows cousin, with slight differences related to API calls and other features that are unique to different operating systems. SentinelOnes analysis suggests Clops Linux release is likely still only in early development, missing many of the obfuscation and deception features that are present in Windows versions of the malware. The security vendor assessed the reason for this could have been because none of Virus Totals 64 anti-virus engines could detect Clops Linux variant at the moment. Notably, the researchers at SentinelOne found that encryption logic was broken on the Linux variant.
“The problem comes down to a couple key differences between the Windows and Linux variants,” said Antonis Therefos, threat information research scientist at SentinelOne. The Linux variant includes a hardcoded master key that, once extracted, allows for decryption, he says. The Windows version, however, contains many verification steps, as well as a different key-generation process, making it harder to retrieve a master key in the same way. Specifically, the Windows version generates a RC4 key for every encrypted file on a compromised system, then encrypts the encryption key itself and stores it on the system. Victims paying a ransom are given the decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.
Differences Between Windows & Linux Clop Variants
SentinelOne has also found some more differences between Windows and Linux versions of Clop. The Windows variant, for example, includes logic to exempt certain files, folders, and extensions from the encryption on the system. With the Linux variant, by contrast, paths targeted for encryption are hardcoded in the malware, Terefos said: “There is therefore no need to exclude undesirable locations”.
The new Clop version adds to a growing list of ransomware Linux variants targeting Linux systems; examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend reported Septembers report, the security vendors said they observed about 1,960 instances of threat actors using Linux ransomware in a breach attempt, up from 1,121 during the same time frame in 2021. The picture has only worsened for Linux systems since. During the year of 2022 overall, Trend Micro identified about 27,602 attacks that involved Linux malware, said Trend Micro vice president of threat analysis John Klay.
That represents a 628 percent increase from 2021, he notes, adding: “We are seeing many more ransomware groups targeting Linux systems. . The attacks are part of a larger rise of all types of malware targeting Linux environments, Klay says. As an example, he points to the 61% rise of cryptocurrency miners targeting Linux from 2021 to 2022. In the company’s own report from last year, it identified over 14,000 instances of malicious actors trying to deploy a post-exploitation Cobalt Strike toolset to Linux hosts. Attacks targeting Windows systems continued to surpass those directed against Linux environments by orders of magnitude.
Regardless, an increasing interest among attackers in Linux is something enterprises cannot afford to ignore. Terefos said, “Linux and cloud-based devices provide a richer set of potential victims. “In the past few years, many organizations have moved to cloud and virtualized environments, making Linux and cloud systems an increasingly tempting target for ransomware attacks. . Terefos notes that “the growth in multiplatform programming languages like Rust and Go is another factor in the mix, because it has reduced barriers for porting malicious software to other platforms.
“We see it in other groups such as Hive, Royal, LockBit, Agenda, and others. Successfully targeting the cloud environment is a must-have for these groups to succeed in the future.
Go to Source
Author: Jai Vijayan, Contributing Writer, Dark Reading
