New Linux versions of the IceFire ransomware were deployed in February, against enterprise networks of several media and entertainment sector organizations worldwide.
According to security researchers at SentinelOne, the campaign leveraged the exploitation of CVE-2022-47986, a recently patched deserialization vulnerability in IBM Aspera Faspex file-sharing software.
“The operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their focus to include Linux,” wrote SentinelOne senior threat researcher Alex Delamotte in Thursday’s advisory.
The move represents a strategic shift, says the security researcher, that aligns the IceFire group with other ransomware groups that have also evolved to target Linux systems.
“In comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale,” Delamotte wrote. “Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities.”
In the most recent attacks observed by SentinelOne, upon execution, the IceFire Linux version downloaded two separate payloads that encrypt files and then delete the malware.
“IceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting certain paths so that critical parts of the system are not encrypted and remain operational,” explained Delamotte.
“Interestingly, several file-sharing clients downloaded benign encrypted files after IceFire had encrypted the file server’s shared folders. Despite the attack on the server, clients were still able to download files from the encrypted server.”
At the time of writing, IceFire has reportedly impacted victims in Turkey, Iran, Pakistan and the United Arab Emirates (UAE). The Linux variants observed by SentinelOne were detected by none of the 61 VirusTotal engines.
“This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023,” Delamotte added. “While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal, including the likes of BlackBasta, Hive, Qilin, Vice Society (aka HelloKitty) and others.”
Ransomware is not the only form of malware increasingly targeting the Linux OS. In December 2022, Trend Micro observed threat actors using the Chaos RAT to improve the efficiency of cryptocurrency mining attacks against Linux systems.