Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.
The gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February.
Once inside their networks, the attackers deploy their new malware variant to encrypt the victims' Linux systems.
IceFire ransomware encrypts files, appends the '.ifire' extension to the filename, and then covers its tracks by deleting itself and removing the binary.
IceFire doesn't encrypt all files on Linux.
The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.
This calculated approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.
While active since at least March 2022 and mostly inactive since the end of November, IceFire ransomware returned in early January in new attacks, as shown by submissions on the ID-Ransomware platform.
IBM Aspera Faspex targeting
IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets' vulnerable systems and deploy their ransomware payloads.
This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February after attack surface management firm Assetnote published a technical report containing exploit code.
CISA also added the security flaw to its catalog of vulnerabilities exploited in the wild on February 2021, ordering federal agencies to patch their systems until March 14.
In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale.
Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective.
To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.
Shodan shows more than 150 Aspera Faspex servers exposed online, most in the United States and China.
Most ransomware strains encrypt Linux servers
IceFire ransomware's move to expand Linux targeting after previously focusing on attacking only Windows systems is a strategic shift that aligns with other ransomware groups that have also started attacking Linux systems in recent years.
Their move matches a trend where enterprises transitioned to Linux-powered VMware ESXi virtual machines, which feature improved device management and a lot more efficient resource handling.
After deploying their malware on ESXi hosts, the ransomware operators can use a single command to encrypt the victims' Linux servers en masse.
While IceFire ransomware doesn't specifically target VMware ESXi VMs, its Linux encryptor is just as efficient, as shown by victims' encrypted files submitted to the ID-Ransomware platform for analysis.
This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023.
While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal."
Similar encryptors have been released by multiple other ransomware gangs, including Conti, LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive.