Security researchers at SentinelLabs have reported that the IceFire ransomware operation has expanded their campaign with a new dedicated encryptor that targets Linux systems. The modification to also include a Linux encryptor aligns with a shift that has also been seen from other ransomware groups over the past two years. The researchers reported that over the last few weeks, the operators have breached numerous media and entertainment organizations around the world.
When executed, IceFire ransomware encrypts files and appends the “.ifire” extension to the file name. Following this, the ransomware deletes itself to cover its tracks. The ransomware only encrypts specific files on Linux hosts, avoiding files and paths that could lead to a complete system shutdown. To deploy IceFire, the operators are exploiting a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (CVE-2022-47986) as a means of initial access. The vulnerability was initially discovered in January and has been patched since February 17.
Analyst Notes
This new encryptor demonstrates the shift of many threat actors to target Linux systems. It is necessary for organizations to pivot to ensure that their Linux devices are adequately covered by behavioral as well as signature-based detections. One way that this could be done is by looking for a large number of file renames in quick succession, although this detection would be at the end of the kill chain. Overall, it is best to ensure a defense-in-depth strategy for Linux devices to ensure all parts of the kill chain are covered on these systems. Additionally, this campaign demonstrates the need for adequate threat intelligence as well as a quick patching schedule. As this campaign exploits a vulnerability that was only just discovered in January and patched at the end of February, it is necessary for organizations to ensure that their intel team is aware of this information and can relay it to the team that performs patching. Likewise, it is important to get the necessary updates pushed in a timely manner.
Source: https://www.bleepingcomputer.com/news/security/icefire-ransomware-now-encrypts-both-linux-and-windows-systems/