24.Key Code

Previously known to target Windows systems only, a new Linux version of the IceFire ransomware that exploits an IBM Aspera Faspex file-sharing vulnerability (CVE-2022-47986) has recently been discovered. While the Windows version is known to target technology companies, the IceFire Linux ransomware variant has been observed targeting media and entertainment companies.

The ransomware operators’ tactics are consistent with those of the "big-game hunting (BGH)” ransomware families, attacking large enterprises, leveraging double extortion, evasion techniques such as deleting log files, and numerous persistence mechanisms. ​​Double extortion involves both the theft and encryption of data, and attacks typically demanding ransom that's double the usual payment.

IceFire Linux Ransomware Tactics & Key Characteristics

The Linux version of IceFire is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open-source GCC (GNU compiler collection) for AMD64 system processor architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian, and has been deployed against hosts running CentOS.

Impacted systems download the IceFire payloads and execute them to encrypt files and rename them with the ".ifire" extension. After this is complete, the payload stealthily deletes itself to avoid detection. The IceFire Linux payload is scripted to exclude encryption of certain system-critical files and paths including files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths  /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run. This was done intentionally so critical parts of systems are not encrypted and remain operational. Another defining tactic observed in the IceFire Linux ransomware variant is the exploitation of a vulnerability as opposed to the traditional delivery of the Windows variant via phishing emails or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt and Cobalt Strike.

The IceFire Linux ransomware payload uses a RSA encryption algorithm with an RSA public key hard-coded into the binary. The payload drops a ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption. The ransom note includes a predefined username and password that must be used to access the ransom payment website, which is hosted on a Tor hidden service to ensure anonymity.

Linux security expert and LinuxSecurity.com Founder Dave Wreski remarks, “ Linux presents more challenges for ransomware operators than Windows, especially on a large scale. Many Linux systems are servers, which are less susceptible to common infection methods like phishing or drive-by downloads. Thus, attackers have resorted to exploiting vulnerabilities in applications, as we have recently seen with the IceFire ransomware group.”

How Can I Secure My Linux Systems Against IceFire Ransomware?

Crime 7717809  340While Linux is generally regarded as a highly secure OS that outperforms both Windows and MacOS in the realm of security, attackers are increasingly targeting Linux systems due to the growing popularity of the OS and the high-value devices it powers worldwide. As a result, it is critical that admins and organizations have the right protection in place to defend against malware, rootkits and other malicious threats that Linux users face. Vali Cyber’s ZeroLock is the only threat management platform that we've found that effectively uses predictive analysis detection to stop ransomware attacks that evade traditional security solutions. In addition to deploying a solution like ZeroLock that rapidly and reliably detects and automatically remediates all threat to a Linux environment, some other tips and best practices for defending against Linux ransomware include:

  • Track security advisories to stay up-to-date on the latest vulnerabilities impacting your systems and updates available to fix them. Registering as LinuxSecurity user, then subscribing to our Linux Advisory Watch newsletter and customizing your advisories for the distro(s) you use is an excellent way to stay on top of the latest, most significant issues impacting the security of your systems. Also, be sure to follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).
  • Backup critical files and diversify the storage media to avoid a single point of failure (SPOF). This won’t prevent an attack, but can mitigate potential damage.
  • Implement the principle of least privilege for user accounts.
  • Monitor network activity and system logs closely.
  • Keep tabs on event logs to identify anomalous behavior before it causes harm.
  • Use a combination of IP filtering, an intrusion detection system (IDS) and an intrusion prevention system (IPS).
  • Use Linux security extensions that control and restrict access to data or network resources.
  • Implement robust network segmentation and data compartmentalization to minimize the impact of a potential ransomware attack.
  • Audit systems regularly.

Wreski concludes, “Linux ransomware is a serious and increasingly prevalent threat, but luckily attacks can be prevented with sound administration, the implementation of the right technology,  and the other security best practices shared in this article.”