Jump to content
  • IceFire ransomware now encrypts both Linux and Windows systems

    alf9872000

    • 426 views
    • 3 minutes
     Share


    • 426 views
    • 3 minutes

    Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.

     

    SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February, according to a report shared in advance with BleepingComputer.

     

    Once inside their networks, the attackers deploy their new malware variant to encrypt the victims' Linux systems.

     

    When executed, IceFire ransomware encrypts files, appends the '.ifire' extension to the filename, and then covers its tracks by deleting itself and removing the binary.

     

    It's also important to note that IceFire doesn't encrypt all files on Linux. The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.

     

    This calculated approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.

     

    While active since at least March 2022 and mostly inactive since the end of November, IceFire ransomware returned in early January in new attacks, as shown by submissions on the ID-Ransomware platform.

     

    IceFire_ransomware_IDR_submissions.png

    IBM Aspera Faspex targeting

    IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets' vulnerable systems and deploy their ransomware payloads.

     

    This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February [12] after attack surface management firm Assetnote published a technical report containing exploit code.

     

    CISA also added the security flaw to its catalog of vulnerabilities exploited in the wild on February 2021, ordering federal agencies to patch their systems until March 14.

     

    "In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective," SentinelLabs says.

     

    "To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability."

     

    Shodan shows more than 150 Aspera Faspex servers exposed online, most in the United States and China.

     

    Internet-exposed%20IBM%20Aspera%20Faspex

    Internet-exposed IBM Aspera Faspex servers (Shodan)

    Most ransomware strains encrypt Linux servers

    IceFire ransomware's move to expand Linux targeting after previously focusing on attacking only Windows systems is a strategic shift that aligns with other ransomware groups that have also started attacking Linux systems in recent years.

     

    Their move matches a trend where enterprises transitioned to Linux-powered VMware ESXi virtual machines, which feature improved device management and a lot more efficient resource handling.

     

    After deploying their malware on ESXi hosts, the ransomware operators can use a single command to encrypt the victims' Linux servers en masse.

     

    While IceFire ransomware doesn't specifically target VMware ESXi VMs, its Linux encryptor is just as efficient, as shown by victims' encrypted files submitted to the ID-Ransomware platform for analysis.

     

    "This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023," SentinelLabs says.

     

    "While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal."

     

    Similar encryptors have been released by multiple other ransomware gangs, including ContiLockBitHelloKittyBlackMatterREvilAvosLockerRansomEXX, and Hive.

     

    Emsisoft CTO Fabian Wosar previously told BleepingComputer that other ransomware gangs (besides the ones we have already reported on), including Babuk, GoGoogle, Snatch, PureLocker, Mespinoza, RansomExx/Defray, and DarkSide, have developed and deployed their own Linux encryptors in attacks.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...