The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cl0p Linux Variant

Feb 28, 2023 12:53:32 PM / by The Hivemind

cl0pVerticals Targeted: Education, Various

Executive Summary

SentinelLabs recently reported on a newly discovered Linux variant of Cl0p ransomware. The Linux variant is similar to the Windows variant but uses a flawed encryption logic.

Key Takeaways

  • A new Linux variant of Cl0p ransomware was recently discovered.
  • The variant has been in the wild since at least late December 2022.
  • While the Linux variant of Cl0p shares similarities with the Windows version, the Linux version uses a flawed encryption logic.
  • Cl0p Linux is currently difficult to detect. 

What is the Cl0p Linux Variant?

SentinelLabs recently reported on a newly discovered Linux variant of Cl0p ransomware. The Linux variant has been in the wild since late December 2022 and is similar to the Windows variant. However, some functionality found in the Windows version is not yet available in the Linux version, leading SentinelLabs researchers to assess the Linux variant is still under development.

The initial infection vector is currently unknown. Cl0p Linux targets specific folders, subfolders, and all files and types. Cl0p Linux also has a flawed encryption logic. It uses a hardcoded RC4 master key, which is copied to the global variable szKeyKey. During encryption, it generates a 0x75 bytes size RC4 key, which is encrypted using the master key and stored in $filename.$clop_extension.

SentinelLabs analysts noted multiple differences between the Linux and Windows variants of Cl0p, including but not limited to the following:

  • The Windows variant excludes specific files, folders, and file extensions from encryption, while the Linux variant does not. 
  • The Windows variant uses different methods of reading files and writing the encrypted buffer, depending on the size of the file, while the Linux variant encrypts all files using mmap64/munmap. 
  • The Windows variant stores the encrypted ransom note as a resource, decrypting it with an XOR algorithm, while the Linux variant stores the ransom note as plaintext in .rodata. 
  • The Windows variant enumerates through drives to find a starting point to recursively encrypt folders, while the Linux variant contains hard-coded folders. 
  • The Windows variant can be executed in multiple ways, while the Linux variant does not accept command line parameters and recursively encrypts the hardcoded folders. 
  • The Windows variant uses the RSA algorithm and a public key to encrypt the generated RC4 key, while the Linux version uses an RC4 master key, as noted above.


At present, the Linux variant of Cl0p is difficult to detect. However, since a symmetric algorithm is used, this encryption logic flaw can be exploited to recover files without paying a ransom.


PolySwarm has a sample of the Cl0p Linux variant.


You can use the following CLI command to search for all Cl0p samples in our portal:

$ polyswarm link list -f Cl0p

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Linux, Cl0p

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts