2월 7, 2023
Cl0p Ransomware Linux (ELF) Decryptor Tool
SentinelLabs has observed the first Linux variant of Cl0p ransomware.
The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.
SentinelLabs has published a free decryptor for this variant here: https://github.com/SentineLabs/Cl0p-ELF-Decryptor
Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size RC4 key for each file. This key is then validated (checks if the first five bytes are NULL) and used for file encryption. Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to $filename.$clop_extension. Victims who pay the ransom demand receive a decryptor that decrypts the generated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file.
This core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware encryption logic that makes it possible to retrieve the original files without paying for a decryptor.
Usage
python3 clop_linux_file_decr.py --help
========================================
SentinelOne Cl0p ELF variant Decryptor.
Author: @Tera0017/@SentinelOne
Link: https://s1.ai/Clop-ELF
========================================
author:@Tera0017/@SentinelOne
관련 리소스
데이터시트
Singularity™ Complete AI 지원 엔드포인트와 클라우드 보안
점점 더 복잡해지는 보안 아키텍처와 데이터 소스, 제한된 리소스, 더욱 정교해지는 공격에 직면한 보안 팀은 AI 지원 공격 세례에 대비하느라…
지금 읽기
Resource
SentinelOne PartnerOne - America's 2025
⛳️ Last week in Pebble Beach the America's best cybersecurity partners came together for our annual PartnerOne summit. Check out…
View Asset