Chris Swagler | March 14th, 2023

Threat actors connected with the IceFire ransomware operation are actively targeting global Linux systems with a new specialized encryptor. Beginning in February, cybersecurity researchers discovered the group breached several global media and entertainment companies in recent weeks. The threat actors use their new malware variant to encrypt victims’ Linux systems once inside their networks. The IceFire ransomware encrypts files when executed, appends the “.ifire” extension to the filename, deleted itself to cover its tracks and remove the binary. Additionally, the IceFire ransomware does not encrypt all files on Linux.

The ransomware avoids encrypting certain paths, allowing critical system components to stay operational. The deliberate strategy is meant to avoid a complete system shutdown, which can cause irreparable damage and more significant disruption. IceFire ransomware has been active since March 2022 and has been most generally quiet since the end of November, seen by submissions on the ID-Ransomware platform.IceFire operators use a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (CVE-2022-47986) to breach targets’ vulnerable systems and install their ransomware payloads. In January, IBM patched the high-severity pre-auth RCE vulnerability and in early February, was exploited in cyberattacks after a technical report containing exploit code was published by Assetnote, a surface management company. Additionally, CISA added the security flaw to its list of publicly exploited vulnerabilities in February 2021, requiring federal agencies to patch their systems by March 14.

Linux is much harder to deploy ransomware against than Windows, especially at scale. According to a cybersecurity company, because numerous Linux systems are servers, traditional infection vectors, including phishing or drive-by download are less effective. Threat actors began to exploit application vulnerabilities to overcome the challenge as IceFire operators demonstrated by deploying payloads by utilizing an IBM Aspera vulnerability. More than 150 Aspera Faspex servers were exposed online, mostly from the United States and China.

The decision by IceFire ransomware to expand its Linux targeting after previously only focusing on Windows systems is a strategic shift that corresponds with other ransomware groups that began targeting Linux systems in recent years. The move is consistent with a trend in which companies have switched to Linux-powered VMware ESXi virtual machines that offer improved device management and far more efficient resource handling. After the malware is deployed on ESXi hosts, the ransomware operators can encrypt the victims’ Linux servers in bulk with a single command. Even though the IceFire ransomware doesn’t expressly target VMware ESXi VMs, its Linux encryptor is effective, as seen by victims’ encrypted files submitted for examination to the ID-Ransomware platform.

The cybersecurity company confirms the IceFire evolution as ransomware targeting Linux will continue to increase in popularity through 2023. Although the framework for Linux ransomware was laid in 2021, the trend increased in 2022 when illustrious groups added Linux encryptors to their arsenal. Numerous other ransomware groups have launched similar encryptors, including Conti, LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive. Additionally, other ransomware groups, including Babuk, GoGoogle, Snatch, PureLocker, Mespinoza, RansomEXX/Defray, and DarkSide have built and deployed their own Linux encryptors in attacks.

With numerous ransomware groups utilizing newly developed specialized encryptors targeting Linux and Windows systems, it’s important for companies to remain alert of the current threat landscape and regularly update their Linux or Windows systems to prevent future cyberattacks. At SpearTip, our pre-breach advisory services allow our engineers to examine companies’ security posture to improve weak points within their networks. We engage with the companies’ people, processes, and technology to measure the maturity of the technical environment. With every vulnerability our engineers uncover, they provide technical roadmaps which ensure that companies have the awareness and support to optimize their overall cybersecurity posture. The ShadowSpear Platform, our integrable managed detection and response tool, integrates with IT and security technology partners allowing the correlation of events from firewalls and network devices on a single pane of glass.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.