SentinelLabs researchers have observed the first Linux variant of the Clop ransomware. The researchers noticed that the encryption algorithm implemented in the ELF executable is flawed and can allow victims to decrypt locked files without paying a ransom.

The researchers observed the first ELF variant of the Clop ransomware targeting Linux systems on December 26, 2022. The experts found many similarities between Windows and Linux variant, including the same encryption method and similar process logic.

The sample was likely part of a bigger attack that hit the University in Colombia (sample1, sample2, sample3, sample4, sample5) on around the December 24, 2022. The cybercrime group behind the attack leaked the data stolen from the victim on January 5, 2022.