The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse engineer the process.
“The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom,” SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.
The cybersecurity firm, which has made available a decryptor, said it observed the ELF version on December 26, 2022, while also noting its similarities to the Windows flavor when it comes using the same encryption method.
The detected sample is said to be part of a larger attack targeting educational institutions in Colombia, including La Salle University, around the same time. The university was added to the criminal group’s leak site in early January 2023, per FalconFeedsio.