Cl0p Goes Linux Ways, With Flaws and Frowns

Cl0p gets Linux(ed) 

• The samples are believed to be a part of a recent attack campaign on educational institutions in Colombia. Cl0p had added La Salle University as its victim in early January.
• The Linux and Windows variants share similarities in encryption methods and process logic. However, several key differences in the functionalities have been observed, indicating that this malware is still under development.
• Moreover, researchers identified a flaw in the encryption algorithm, after which they reverse-engineered the encryption process and developed a decrypter to unlock the encrypted files without paying the ransom.

Windows vs Linux variants

• The Windows variant uses a hashing algorithm to exclude specific folders and files from encryption. Instead of using such a method for exclusion, the Linux variant is designed to target only a specific list of files and folders.
• The file encryption process in the Windows variant differs with file size. Small files are ignored, while separate Windows APIs are used for mid-sized files and large-sized files. Linux variant uses the same encryption method for files of all sizes.
• Differences were identified in the enumeration of hard drives, RC4 Key encryption, command line parameters, and the way ransom notes are stored on the victim machine.

A noticeable flaw

• The malware does not use an RSA-based asymmetric algorithm to encrypt the RC4 keys (used for file encryption) as in the Windows variant.
• It uses a hardcoded master key to generate the encryption keys and uses that key for generating the RC4 encryption key that is stored locally on the file. 
• This RC4 key is never validated before starting the encryption process. This allowed researchers to retrieve the keys and thus develop a decryptor.

Ending notes