Clop ransomware had a rather handy flaw for Linux users to exploit

A relatively obscure ransomware variant called Clop may stay that way for a bit longer, after it was discovered to have a Linux version th...

A relatively obscure ransomware variant called Clop may stay that way for a bit longer, after it was discovered to have a Linux version that had a rather embarassing flaw.

The Linux version of the ransomware was first spotted in December 2022 by a SentinelLabs researcher named Antonis Terefos. His analysis determined that the Linux variant is almost identical to the Windows one, but with a few small (albeit crucial) differences.

Namely, Linux users were able to quietly decrypt all of the affected files and reclaim their endpoints - without having to pay the criminals anything.

Retrieving the master key

Among those differences is the fact that the Linux version “did not encrypt the RC4 keys used for file encryption with the RSA-based asymmetric algorithm used in the Windows variant.

Unlike the Windows version, the Linux one uses a hardcoded RC4 “master key” which generates encrypting keys, and then uses the same one to encrypt and store files, locally. When SentinelLabs figured it out, they used the flaw to freely retrieve the keys and reverse the encryption. The team has now built a Python script to help automate the process, which can be found on GitHub.

But that’s not the only major flaw this ransomware has. Apparently, the malware also writes extra data to the encrypted file, such as its size and encryption time. Usually, this type of data is obfuscated as it can help forensic analysts identify important documents. In this case, it wasn’t hidden at all. 

All of this prompted the researchers to conclude that the Clop ransomware, at least in its current form, is unlikely to take off as a major threat. Now that the cat is out of the bag, it’s safe to assume that a new version is in the works and that it could be released soon. 

Still, news like this is always good, especially for the victims:

"We shared our findings early with relevant law enforcement and intelligence partners and will continue to collaborate with the relevant organizations to affect the economics of the ransomware space in favor of defenders," SentinelLabs told BleepingComputer.

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/B5xEvQU
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,188,Video,5,XIAOMI,13,YouTube - 9to5Google,187,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Clop ransomware had a rather handy flaw for Linux users to exploit
Clop ransomware had a rather handy flaw for Linux users to exploit
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/02/clop-ransomware-had-rather-handy-flaw.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/02/clop-ransomware-had-rather-handy-flaw.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy