IceFire ransomware has been found to be targeting Linux-based systems, having previously only attacked Windows-based systems.
The ransomware has been used to attack media and entertainment organizations worldwide, with most infections being reported in countries such as Turkey, Iran, Pakistan, and the United Arab Emirates.
The ransomware targets user and shared directories that do not require elevated privileges to write or modify.
The malware exploits a deserialization vulnerability in IBM Aspera Faspex file-sharing software to deploy the ransomware. Researchers from SentinelOne have tested the Linux version of the ransomware against Intel-based distributions of Ubuntu and Debian.
The binary is compiled with gcc for the AMD64 architecture and is 2.18 MB in size.
The ransomware encrypts files and appends the “.ifire” extension to the filename before deleting itself by removing the binary. The ransom note contains hardcoded credentials to log into the ransom payment portal hosted on a Tor hidden service.
The Windows version of the ransomware spreads through phishing messages and pivots using post-exploitation toolkits. The Linux variant is still in the early stages, and the experts point out that the IceFire binary was not detected by any of the 61 VirusTotal engines at the time of the report’s publication.
The research highlights the growing threat of ransomware attacks against Linux systems and underscores the need for organizations to take proactive steps to protect their systems.
Experts recommend patching vulnerabilities in software and implementing security measures such as access controls and data backups to mitigate the impact of a ransomware attack.