New Cl0p Variant Targets Critical Linux Systems


February 8, 2023

World map

The infamous Cl0p ransomware group released a new variant that targets critical Linux systems. While this first version of Cl0p for Linux was found to be riddled with bugs and easy to remediate, as we know from experience the developers are going to follow on with debugged versions that could wreak havoc on some very key systems and cause some major disruptions.

"The 'always on' nature of Linux systems provides a strategic beachhead for moving laterally throughout the network, so targeting Linux systems would allow the threat actors to brick the most sensitive parts of an organization's networks, which means the attackers can demand a higher ransom,” said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment, such as sandboxing.

Typically ransomware attackers focus on the Windows OS since it has the most market share – they have ROI to think about  too when choosing where to put their development resources. While Linux has a tiny footprint in desktop computing, it runs ~80% of all web servers, the majority of smartphones, 100% of the top 500 supercomputers, and a large portion of embedded devices which hold the most sensitive data of all.

Linux is favored by large network applications and data centers that drive most of the U.S. government and military networks, financial institutions, and even the backbone of the internet. So, while there are comparatively few Linux targets, what targets there are potentially extremely lucrative for an attacker.

Takeaway: Ransomware operators continue to advance their skillsets, improve the efficacy of their infection vectors and payloads, and continue to heavily invest in recruiting and retaining new talent, growing and expanding their illicit business operations and capabilities at an astounding pace. Legacy antivirus, NGAV and EDR tools were simply not designed to address the unique threat that ransomware presents, and this is why we keep seeing destructive ransomware attacks circumvent these general application solutions – this issue will be compounded by the fact that security offerings for Linux systems are immature at best.