An experimental new version of a prolific form of ransomware has been seen targeting Linux systems for the first time.
Clop ransomware first appeared in 2019 and, despite being hit by arrests and takedowns in 2021, continues to operate today, with the discovery of a new variant indicating the group is still keen to find new means of conducting ransomware campaigns.
The Linux variant of Clop ransomware has been uncovered and detailed by cybersecurity researchers at SentinelOne, who say it’s active in the wild. However, they also suggest a flawed decryption mechanism means that, for now, the Clop Linux variant is still in the experimental stages of development.
The new Linux variant is similar to the original Windows-targeting Clop, using the same encryption method and similar process logic — but there’s also some differences.
Some of these variations exist because the ransomware authors are trying to build bespoke Linux payloads from scratch, instead of just directly porting the Windows version of Clop to Linux.
It’s for this reason that researchers believe the Linux variant of Clop is still under development, because several functions that are in the Windows version still aren’t available in the Linux variant.
Also: Ransomware has now become a problem for everyone, and not just tech
In addition, the Linux version of Clop ransomware currently contains a flaw in its encryption protocols, which makes it possible to retrieve encrypted files without holding the decryption key.
In other words, in its current state, the Linux version of Clop ransomware could be ineffective at forcing victims to pay a ransom, as they potentially wouldn’t need to pay to get their files back.
While the Linux version of Clop ransomware appears to be experimental at this stage, it’s the latest in a string of ransomware variants that are focused on operating systems other than Windows.
Linux has become an increasingly popular target for malware and ransomware attacks because it’s become widely used in enterprise networks, particularly as organizations shift their focus toward cloud-based applications and services.
“Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims. Cloud infrastructures often store critical data and run business-critical applications, making them a valuable target,” Antonis Terefos, threat intelligence researcher at SentinelOne, told ZDNET.
“In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets,” he added.
Also: Ransomware: Why it’s still a big threat, and where the gangs are going next
When it comes to defending Linux systems against ransomware and other threats, there are steps that can be taken — and many are similar to those used to help protect Windows systems.
These steps include keeping systems up to date with the latest security patches to prevent intrusions that exploit known vulnerabilities in systems.
Many ransomware attacks also abuse stolen usernames and passwords. Organisations should ensure that accounts, particularly those associated with critical servers, are secured with a strong and unique password — and accounts should be secured with multi-factor authentication to provide an additional layer of security.
“The recommended approach to protect from such attacks is a multi-layer perspective — it includes investing in the proper endpoint protection on each cloud, and endpoint, regardless of their operating system, ensuring access control, protecting the identities of an organization, patch management, and educating users about their risks of phishing and other social engineering tactics,” said Terefos.