Cyber criminals linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.
Security researchers at SentinelLabs found that the threat group had breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February.
Once inside their networks, the attackers deploy their new malware variant to encrypt the victims’ Linux systems.
When executed, IceFire ransomware encrypts files, appends the ‘.ifire’ extension to the filename, and then covers its tracks by deleting itself and removing the binary.
However, IceFire doesn’t encrypt all files on Linux. The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.
This approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.
The ransomware which has been active since at least March 2022 and mostly inactive since the end of November, returned in early January in new attacks.
IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets’ vulnerable systems and deploy their ransomware payloads.
This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February after attack surface management firm Assetnote published a technical report containing exploit code.
SentinelLabs stated that in comparison to Windows, Linux is more difficult to deploy ransomware. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective.
IceFire ransomware’s move to expand Linux targeting after previously focusing on attacking only Windows systems is a strategic shift that aligns with other ransomware groups that have also started attacking Linux systems in recent years.