The Clop ransomware’s first Linux form has been found in the wild, but it uses a flawed encryption method that has allowed for its reverse engineering.
SentinelOne researcher Antonis Terefos stated in a study published with The Hacker News that “the ELF executable features a faulty encryption scheme making it easy to decode encrypted files without paying the ransom.”
The cybersecurity company noted that it saw the ELF version on December 26, 2022, and noted that it is comparable to the Windows flavor in that it uses the same encryption approach. The cybersecurity company has also made a decryptor accessible.