34.Key AbstractDigital

The Clop ransomware gang is now also using a malware variant that explicitly targets Linux servers, but a flaw in the encryption scheme has allowed victims to quietly recover their files for free for months.

This new Linux version of Clop was spotted in December 2022 by Antonis Terefos, a researcher at SentinelLabs, after the threat group used it together with the Windows variant in an attack against a university in Colombia.


While very similar to the Windows version, as they both use the same encryption method and almost identical process logic, there still are some differences, mainly limited to OS API calls and features still waiting to be implemented in the Linux variant.