Cl0p Ransomware Linux (ELF) Decryptor Tool

SentinelLabs has observed the first Linux variant of Cl0p ransomware.

The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.
SentinelLabs has published a free decryptor for this variant here: https://github.com/SentineLabs/Cl0p-ELF-Decryptor

Windows versions of Cl0p ransomware use a Mersenne Twister PRNG (MT19937) to generate a 0x75 bytes size RC4 key for each file. This key is then validated (checks if the first five bytes are NULL) and used for file encryption. Then, by using the RSA public key, it encrypts the generated RC4 key and stores it to $filename.$clop_extension. Victims who pay the ransom demand receive a decryptor that decrypts the generated Cl0p file using the RSA private key, retrieves the generated RC4 key, and then decrypts the encrypted file.

This core functionality is missing in the Linux variant. Instead, we discovered a flawed ransomware encryption logic that makes it possible to retrieve the original files without paying for a decryptor.

Usage
python3 clop_linux_file_decr.py –help
========================================
SentinelOne Cl0p ELF variant Decryptor.
Author: @Tera0017/@SentinelOne
Link: https://s1.ai/Clop-ELF
========================================
author:@Tera0017/@SentinelOne