{
	"id": "fd71f0f3-89c8-4150-8bd7-79013132b973",
	"created_at": "2026-04-06T00:13:27.146397Z",
	"updated_at": "2026-04-10T03:21:36.102706Z",
	"deleted_at": null,
	"sha1_hash": "d5ecf3e436557a1387410cc26875ebef3be074b4",
	"title": "Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1589437,
	"plain_text": "Cl0p Ransomware Targets Linux Systems with Flawed Encryption\r\n| Decryptor Available\r\nBy Antonis Terefos\r\nPublished: 2023-02-07 · Archived: 2026-04-05 14:29:57 UTC\r\nExecutive Summary\r\nSentinelLABS has observed the first Linux variant of Cl0p ransomware.\r\nThe ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files\r\nwithout paying the ransom.\r\nSentinelLABS has published a free decryptor for this variant here.\r\nBackground\r\nSentinelLABS observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux\r\nsystems on the 26th of December 2022. The new variant is similar to the Windows variant, using the same\r\nencryption method and similar process logic.\r\nThe mentioned sample appears to be part of a bigger attack that possibly occurred around the 24th of December\r\nagainst a University in Colombia (sample1, sample2, sample3, sample4, sample5). On the 5th of January the\r\ncybercrime group leaked victim’s data on their onion page.\r\nELF Technical Analysis\r\nThe ELF Cl0p variant is developed in a similar logic to the Windows variant, though it contains small differences\r\nmostly attributed to OS differences such as API calls. It appears to be in its initial development phases as some\r\nfunctionalities present in the Windows versions do not currently exist in this new Linux version.\r\nA reason for this could be that the threat actor has not needed to dedicate time and resources to improve\r\nobfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal.\r\nSentinelOne Singularity detects Cl0p ransomware on both Linux and Windows devices.\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 1 of 9\n\nSentinelOne Singularity detects Cl0p Linux ransomware\r\nInitially, the ransomware creates a new process by calling fork and exits the parent-process. The child-process sets\r\nits file mode creation mask to any permission (read, write, execute) by calling umask(0). It then calls setsid,\r\ncreates a session and sets the process group ID. It tries to access root by changing the working directory to “/”\r\n(chdir(“/”)). Once the permissions are set, the ransomware proceeds encrypting other directories.\r\nTargeted Folders \u0026 Files\r\nWhile the Windows versions contain a hashing algorithm in order to avoid encrypting specific folders and files,\r\nsuch functionality was not observed in the Linux variant. The ELF variant targets specific folders, subfolders and\r\nall files/types.\r\nThe discovered ELF sample targets files contained in the following directories for encryption, though we do not\r\nexclude the possibility of future versions including more directories.\r\nFolder Description\r\n/opt Contains subdirectories for optional software packages\r\n/u01 Oracle Directory, mount point used for the Oracle software only.\r\n/u02 Oracle Directory, used for the database files.\r\n/u03 Oracle Directory, used for the database files.\r\n/u04 Oracle Directory, used for the database files.\r\n/home Contains the home directory of each user.\r\n/root Contains the home directory of the root user.\r\nEncryption Flaw\r\nWindows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size\r\nRC4 key for each file. This key is then validated (checks if the first five bytes are NULL) and used for file\r\nencryption. Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to\r\n$filename.$clop_extension . Victims who pay the ransom demand receive a decryptor which decrypts the\r\ngenerated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted\r\nfile.\r\nThis core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware-encryption\r\nlogic which makes it possible to retrieve the original files without paying for a decryptor.\r\nThe Linux variant contains a hardcoded RC4 “master-key” which, during the execution of the main function, is\r\ncopied into the global variable szKeyKey .\r\nSample’s RC4 “master-key”:\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 2 of 9\n\nJfkdskfku2ir32y7432uroduw8y7318i9018urewfdsZ2Oaifwuieh~~cudsffdsd\r\nDuring the file encryption phase, the ransomware – similar to the Windows version – generates a 0x75 bytes size\r\nRC4 key, with the use of a lookup table and a PRNG byte. This generated RC4 key is used to encrypt the\r\nmappedAddress and write it back to the file.\r\nThen by using the RC4 “master-key” the ransomware encrypts the generated RC4 key and stores it to\r\n$filename.$clop_extension . By using a symmetric algorithm (second RC4) to “encrypt” the file’s RC4 key, we\r\nwere able to take advantage of this flaw and decrypt Cl0p-ELF encrypted files.\r\nCl0p-ELF encryption flaw\r\nCl0p-ELF Decryption Logic:\r\n1. Retrieve RC4 “master-key”.\r\n2. Read all $filename.$clop_extension .\r\n3. Decrypt with RC4 using the RC4 “master-key”, the generated RC4 key.\r\n4. Decrypt $filename with RC4 using the generated RC4 key.\r\n5. Write decrypted to $filename .\r\nWe packed all this logic into the following Python script.\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 3 of 9\n\nCl0p File-Key Creation Flaw\r\nThe 0x75 bytes size PRNG RC4 key is encrypted with RC4 using the RC4 “master-key”. The encrypted RC4\r\noutput is 0x75 bytes size, though writes 0x100 bytes into the created Cl0p key $filename.$clop_extension . This\r\nresults in writing memory data to the file and more specifically stack variables.\r\nCl0p-ELF file-key creation flaw.\r\nThis flaw provides some information regarding the file before encryption. This includes:\r\nFile fstat64 result\r\ntotal size, in bytes, file size ( st_size )\r\ntime of last status change, exact time of file encryption ( st_ctime )\r\nand more forensics information regarding the file before the encryption.\r\nSize of buffer for file encryption (with check of \u003e= 0x5f5e100 )\r\nRC4 “master-key” size\r\nRC4 PRNG key size\r\nstruct clopelfkeyfile {\r\nbyte encr_rc4key[117];\r\nstat fdstat;\r\nlong fdid;\r\nint fd;\r\nint fdmappedaddr;\r\noff_t fdsize;\r\nint rc4_msize;\r\nlong rc4_fsize;\r\nint fdnameaddr;\r\nint frameaddr;\r\nint retaddr;\r\nbyte fdpathaddr[3];\r\n}\r\nDeveloped Functions \u0026 Names\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 4 of 9\n\nIn ELF binaries the .symtab , Symbol Table Section, holds information needed to locate and relocate a program’s\r\nsymbolic definitions and references, allowing us to retrieve function and global variable names.\r\nFunction Name Description\r\ndo_heartbeat(void) Main function which starts the encryption of various folders.\r\nfind(char *,char const*)\r\nMultiple calls of this function are done by do_heartbeat; this function takes as\r\nparameter 1) the starting folder to encrypt (example, “/opt”) 2) regex of files to\r\nencrypt (example, “*.*”) and performs a recursive search from the starting folder\r\nuntil encrypts the “matching” regex files.\r\nCreateRadMe(char *) This function takes as parameter the folder to create the ransom note.\r\nEncrFile(char *) Encrypts given filepath.\r\nexistsFile(char *) Checks if File exists, or if the process has the permissions to open.\r\n_rc4Full(void\r\nconst*,ushort,void\r\n*,ulong)\r\nWrapper function to _rc4Init and _rc4, which is used to encrypt a buffer with a\r\ngiven key.\r\nCreatekey(char *,uchar\r\n*)\r\nCreates and writes into “%s.C_I_0P” the encrypted buffer.\r\nGlobal\r\nVariable\r\nDescription\r\nszKeyKey\r\nGlobal variable of 0x64 bytes size, initialized during main function, containing RC4\r\n“master-key” which encrypts the “randomly” generated 0x75 bytes size RC4 key.\r\nDifferences to Windows Variant\r\nRather than simply port the Windows version of Cl0p directly, the authors have chosen to build bespoke Linux\r\npayloads.  We understand this to be the primary reason for the lack of feature parity between the new Linux\r\nversion and the far more established Windows variant.\r\nSentinelLABS expects future versions of the Linux variant to start eliminating those differences and for each\r\nupdated functionality to be applied in both variants simultaneously.\r\nSome of the differences worth highlighting are detailed below:\r\nDifferences Description\r\nFiles/Folders\r\nexclusions\r\nThe Windows variant contains a hashing algorithm which excludes specific folders\r\nand files from encryption. This functionality was not observed in the Linux variant.\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 5 of 9\n\nExtension\r\nexclusions\r\nThe Windows variant contains a hardcoded list of extensions to exclude from\r\nencryption.  This functionality was not observed in the Linux variant.\r\nDifferent methods\r\nof Reading/Writing\r\ndepending on file\r\nsize.\r\nThe Windows variant, depending on the size of the file, will choose different methods\r\nof reading a file and writing the encrypted buffer. Small files are ignored, medium-sized files will make use of ReadFile/WriteFile, large files will use\r\nCreateFileMappingW/MapViewOfFile/UnmapViewOfFile. The Linux variant encrypts\r\nall the files using mmap64/munmap. Both variants only encrypt the first 0x5f5e100\r\nbytes of large files.\r\nRansom Note\r\nDecryption\r\nThe Windows variant stores the encrypted ransom note as a resource and decrypts it\r\nwith a simple XOR algorithm. The Linux variant stores the note as plain text in\r\n“.rodata”.\r\nDrive enumeration\r\nThe Windows variant initially enumerates through drives in order to “find” the starting\r\npoint to recursively encrypt the folders. The Linux variant contains hardcoded\r\n“starting” folders.\r\nRC4 default Key\r\nOnce the Windows variant generates a 0x75 size PRNG RC4 Key, it will check if the\r\nfirst 5 bytes are NULL; if so, it uses the default key for encryption. The Linux version\r\ndoes not perform this validation and does not contain a default RC4 key in case the\r\nfirst 5 bytes of the PRNG RC4 are NULL.\r\nCommand Line\r\nParameters\r\nThe Windows variant can be executed in three ways: 1) without parameters encrypting\r\nall local and network drives, 2) with “runrun” parameter encrypting only network\r\ndrives, 3) with a file as parameter which contains the folders to be encrypted (observed\r\ntemp.ocx/temp.dat). The Linux variant does not accept command line parameters and\r\nrecursively encrypts the specified hardcoded folders.\r\nRC4 Key\r\nEncryption\r\nThe Windows variant encrypts the generated RC4 key responsible for the file\r\nencryption using the asymmetric algorithm RSA and a public key. In the Linux\r\nvariant, the generated RC4 key is encrypted with a RC4 “master-key” (flawed logic).\r\nRansom Notes\r\nThe Linux variant of Clop ransomware drops a ransom note on victim machines with a .txt format.\r\nELF sample ransom note, “README_C_I_0P.TXT”.\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 6 of 9\n\nThis differs somewhat from the Windows .rtf ransom note, although both use the email addresses\r\nunlock@support-mult[.]com and unlock@rsv-box[.]com as ways for victims to contact the attackers.\r\nWindow samples ransom note, “!_READ_ME.RTF”.\r\nConclusion\r\nOver the last twelve months or so we have continued to observe the increased targeting of multiple platforms by\r\nindividual ransomware operators or variants. The discovery of an ELF-variant of Cl0p adds to the growing list of\r\nthe likes of Hive, Qilin, Snake, Smaug, Qyick and numerous others.\r\nWe know that Cl0p operations have shown little if no slow-down since the disruption in June 2021. While the\r\nLinux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of\r\nLinux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted\r\nransomware campaigns going forward.\r\nSentinelLABS continues to monitor the activity associated with Cl0p. SentinelOne Singularity protects against\r\nmalicious artifacts and behaviors associated with Cl0p attacks including the ELF variant described in this post.\r\nIndicators of Compromise\r\nIOC Type IOC Value\r\nSHA1 ELF Cl0p 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5\r\nSHA1 Win Cl0p 40b7b386c2c6944a6571c6dcfb23aaae026e8e82\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 7 of 9\n\nSHA1 Win Cl0p 4fa2b95b7cde72ff81554cfbddc31bbf77530d4d\r\nSHA1 Win Cl0p a1a628cca993f9455d22ca2c248ddca7e743683e\r\nSHA1 Win Cl0p a6e940b1bd92864b742fbd5ed9b2ef763d788ea7\r\nSHA1 Win Cl0p ac71b646b0237b487c08478736b58f208a98eebf\r\nSHA1 ELF Cl0p Note ba5c5b5cbd6abdf64131722240703fb585ee8b56\r\nSHA1 Win Cl0p Note 77ea0fd635a37194efc1f3e0f5012a4704992b0e\r\nELF Ransom Note README_C_I_0P.TXT\r\nWin Ransom Note !_READ_ME.RTF\r\nCl0p Ransom Extension .C_I_0P\r\nCl0p Contact Email unlock[@]support-mult.com\r\nCl0p Contact Email unlock[@]rsv-box.com\r\nCl0p Onion Leak Page hxxp[:]//santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion\r\nCl0p Onion Chat Page hxxp[:]//6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd[.]onion\r\nYARA Rule\r\nrule ClopELF\r\n{\r\nmeta:\r\nauthor = \"@Tera0017/@SentinelLABS\"\r\ndescription = \"Temp Clop ELF variant yara rule based on $hash\"\r\nreference = \"https://s1.ai/Clop-ELF”\r\nhash = \"09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef\"\r\nstrings:\r\n$code1 = {C7 45 ?? 00 E1 F5 05}\r\n$code2 = {81 7D ?? 00 E1 F5 05}\r\n$code3 = {C7 44 24 ?? 75 00 00 00}\r\n$code4 = {C7 44 24 ?? 80 01 00 00}\r\n$code5 = {C7 00 2E [3] C7 40 04}\r\n$code6 = {25 00 F0 00 00 3D 00 40 00 00}\r\n$code7 = {C7 44 24 04 [4] C7 04 24 [4] E8 [4] C7 04 24 FF FF FF FF E8 [4] C9 C3}\r\ncondition:\r\nuint32(0) == 0x464c457f and all of them\r\n}\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 8 of 9\n\nSource: https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nhttps://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/"
	],
	"report_names": [
		"cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5ecf3e436557a1387410cc26875ebef3be074b4.pdf",
		"text": "https://archive.orkl.eu/d5ecf3e436557a1387410cc26875ebef3be074b4.txt",
		"img": "https://archive.orkl.eu/d5ecf3e436557a1387410cc26875ebef3be074b4.jpg"
	}
}