2 min

Tags in this article

, ,

The IceFire ransomware affects not only Windows systems, but now also Linux-based systems.

According to security experts at SentinelOne, a Linux version of the IceFire ransomware has surfaced for the first time in recent weeks. Previously, only Windows systems were targeted. The IceFire ransomware was first noticed in March 2022.

The IceFire version for Linux surfaced at media and entertainment companies, which is another change. The Windows version mainly targets ransomware attacks on tech companies. Another anomaly of the new ransomware version is that businesses in Turkey, Iran, Pakistan and the United Arab Emirates are mostly affected.

The general tactics of the attackers with this ransomware variant have remained the same and consistent with other big-game hunting (BGH) ransomware. These include double extortion, using multiple persistence mechanisms and avoiding analysis by deleting log files.

SentinelOne’s security researchers suspect the attack comes from ransomware groups that previously rolled out Linux variants. Think BlackBasta, Hive, Qilin and Vice Society aka HelloKitty.

Attack technique

According to SentinelOne, the Linux version of the IceFire ransomware use vulnerability CVE-2022-47986 as an exploit. This vulnerability involves a “deserialization” vulnerability in the IBM Aspera Faspex file sharing software.

The IceFire Linux version is a 2.18 MB 64-bit ELF binary compiled with gcc for an AMD64 architecture. SentinelOne also positively tested the Linux version for Intel processor-based Linux distributions Ubuntu and Debian, among others.

The ransomware version specifically targets CentOS-based hosts running a vulnerable version of the aforementioned IBM Aspera Faspex file server software. The infection downloads two payloads.

Encrypted files

When the payloads are executed, files are encrypted, receiving the ifire extension. After that, the IceFire ransomware deletes itself by deleting the binary. Not all files within Linux are encrypted. Several paths are deliberately avoided so that the important parts of the open-source operating system continue to work.

As for how to combat it, security providers do not yet have a solution available. SentinelOne specialists did discover that the payloads of the Linux ransomware variant are hosted on a DigitalOcean droplet with IP address The URL format for this is set to: hxxp[://]|IP_Address)/iFire.

Security experts can detect the IceFire payload URLs via the following expression: http://][a-z]+}([a-z]+){2}([a-z]+)|^((25[0-5]|(2[0-4]|1|d|[1-9]|)/iFire

Also read: WIP26 malware attacks telecom operators