The Linux variant of Clop ransomware has been uncovered and detailed by cybersecurity researchers at SentinelOne, who say it's active in the wild. However, they also suggest a flawed decryption mechanism means that, for now, the Clop Linux variant is still in the experimental stages of development.
The new Linux variant is similar to the original Windows-targeting Clop, using the same encryption method and similar process logic -- but there's also some differences.
Some of these variations exist because the ransomware authors are trying to build bespoke Linux payloads from scratch, instead of just directly porting the Windows version of Clop to Linux.
It's for this reason that researchers believe the Linux variant of Clop is still under development, because several functions that are in the Windows version still aren't available in the Linux variant.
"Ransomware groups are constantly seeking new targets and methods to maximize their profits. Being widely used in enterprise environments, Linux and cloud devices offer a rich pool of potential victims. Cloud infrastructures often store critical data and run business-critical applications, making them a valuable target," Antonis Terefos, threat intelligence researcher at SentinelOne, told ZDNET.
"In recent years, many organizations have shifted towards cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks. Therefore, ransomware groups targeting Linux and cloud systems is a natural progression in their quest for higher profits and easier targets," he added.
When it comes to defending Linux systems against ransomware and other threats, there are steps that can be taken -- and many are similar to those used to help protect Windows systems.
These steps include keeping systems up to date with the latest security patches to prevent intrusions that exploit known vulnerabilities in systems.
Many ransomware attacks also abuse stolen usernames and passwords. Organisations should ensure that accounts, particularly those associated with critical servers, are secured with a strong and unique password -- and accounts should be secured with multi-factor authentication to provide an additional layer of security.
"The recommended approach to protect from such attacks is a multi-layer perspective -- it includes investing in the proper endpoint protection on each cloud, and endpoint, regardless of their operating system, ensuring access control, protecting the identities of an organization, patch management, and educating users about their risks of phishing and other social engineering tactics," said Terefos.