3 – 5 min read 03/13/2023
Previously known to target Windows systems only, a new Linux version of the IceFire ransomware that exploits an IBM Aspera Faspex file-sharing vulnerability (CVE-2022-47986) has recently been discovered. While the Windows version is known to target technology companies, the IceFire Linux ransomware variant has been observed targeting media and entertainment companies.
The ransomware operators’ tactics are consistent with those of the “big-game hunting (BGH)” ransomware families, attacking large enterprises, leveraging double extortion, evasion techniques such as deleting log files, and numerous persistence mechanisms. Double extortion involves both the theft and encryption of data, and attacks typically demanding ransom that’s double the usual payment.
IceFire Linux Ransomware Tactics & Key Characteristics
The Linux version of IceFire is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open-source GCC (GNU compiler collection) for AMD64 system processor architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian, and has been deployed against hosts running CentOS.
Impacted systems download the IceFire payloads and execute them to encrypt files and rename them with the “.ifire” extension. After this is complete, the payload stealthily deletes itself to avoid detection. The IceFire Linux payload is scripted to exclude encryption of certain system-critical files and paths including files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv,