SentinelLabs recently observed a new Linux version of the IceFire ransomware deployed against enterprise networks in mid-February. The iFire file extension is associated with known reports of IceFire, a ransomware family noted by MalwareHunterTeam in March 2022.
Prior to this report, IceFire had only shown a Windows-centric focus. The attackers’ tactics are consistent with those of the ‘big-game hunting’ (BGH) ransomware families, which involve double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files.
Previous reports indicate that IceFire targeted technology companies; SentinelLabs observed these recent attacks against organisations in the media and entertainment sector. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organised ransomware actors.
Deployed against CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software, the Linux version has an interesting twist which implies the IceFire developer made thoughtful choices in the excluded paths and file extensions.
Key points
In recent weeks SentinelLabs observed novel Linux versions of IceFire ransomware being deployed within the enterprise network intrusions of several media and entertainment sector organisations worldwide
Currently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a deserialisation vulnerability in IBM Aspera Faspex file sharing software
The operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their focus to include Linux. This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems
Conclusion
This evolution of IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023. While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal, including the likes of BlackBasta, Hive, Qilin, Vice Society aka HelloKitty, and others.
In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.
