SentinelLabs has recently revealed the existence of a Linux variant of the IceFire ransomware, which initially targeted Windows devices.
(https://www.bleepstatic.com/content/hl-images/2021/12/23/AvosLocker_ransomware_headpic.jpg)
The research team at SentinelLabs, known as SentinelOne, has published a whitepaper discussing the Linux version of the IceFire ransomware.
This Linux variant exploits a vulnerability in the IBM Aspera Faspex application, which had a high CVSS score of 9.8.
While IceFire ransomware primarily targets media and entertainment organizations worldwide, countries such as Turkey, Iran, Pakistan, and the UAE have been particularly affected.
SentinelLabs has issued a warning to enterprises about the IceFire ransomware, which now poses a threat to both Linux-based and Windows systems. According to their whitepaper, the ransomware is currently being used to target vulnerable Linux systems belonging to various media and entertainment organizations across the globe.
Exploiting the IBM Aspera Faspex Vulnerability
The IceFire ransomware exploits a vulnerability, known as CVE-2022-47986, in the IBM Aspera Faspex file exchange application. This vulnerability has a significant CVSS score of 9.8, enabling attackers to execute arbitrary code and deploy the ransomware.
"BM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2."
The Linux version of IceFire, referred to as iFire, encrypts victims' files and adds the .iFire extension. SentinelLabs highlights that the ransomware has impacted victims in Turkey, Iran, Pakistan, and the UAE.
This Linux variant is a 2.18 MB, 64-bit ELF binary specifically designed to run on AMD64 systems. Upon exploiting the vulnerability in the IBM Aspera Faspex software, the ransomware downloads two payloads and saves them to the /opt/aspera/faspex path. To evade detection, the initial file self-deletes after execution.
Selective Encryption
The IceFire ransomware avoids encrypting certain file extensions such as .cfg, .sh, .img, .jar, .cache, and .run. However, it specifically targets files with the following extensions:
.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg .fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow .rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram .vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs .pptx .xls .xlsx
IceFire also avoids encrypting critical operating system components to ensure its continuous operation. SentinelLabs notes that the ransomware selectively encrypts folders, with the most commonly encrypted folder being /home/[user_name/, followed by /mnt, /media, and /share directories.
Ransom Note
As of now, none of the VirusTotal engines can detect the IceFire binary as malware. Unsurprisingly, IceFire drops a ransom note that directs victims to access their Tor link.
IceFire is a type of malicious software that infects computers and encrypts their data, demanding a significant payment from the victim to regain access to their files. This makes IceFire a ransomware program. Unlike many other ransomware programs, IceFire stands out as a unique threat, not belonging to any known family of ransomware. Unfortunately, this uniqueness limits the options for file recovery, but there are still ways to recover some files and remove IceFire without paying the ransom.
In addition to file encryption, IceFire also adds the .iFire extension to all encrypted files, making it easier for victims to identify which files have been affected. Furthermore, it leaves a ransom note titled "iFire-readme.txt" with instructions for the victim to follow. The image provided above contains the full contents of the note, but in summary, it directs victims to visit a darknet website for further instructions.
If you have fallen victim to IceFire, it is unlikely that you will be able to recover all your data unless you have backups. However, you can still take steps to remove IceFire from your system and restore some of your files without paying the ransom. We recommend reading this article for detailed instructions on how to proceed.
How to Remove IceFire Ransomware:
If you have backups of your encrypted files or if you have decided not to attempt file recovery, you can begin by scanning your computer with one or more antivirus programs or completely reinstalling the operating system.
How to Recover Files Encrypted by IceFire Ransomware:
If you wish to recover files encrypted by IceFire, you can explore two main approaches: decryption and file recovery methods. Here are some options to consider:
1. Contact the authors of the ransomware program and pay the ransom in the hope of receiving a decryptor. However, this method is unreliable as there is no guarantee that the decryptor will be provided or that it will successfully decrypt your files.
2. Keep an eye on security researchers as they may discover vulnerabilities in IceFire that could allow for file decryption without paying the ransom. While such discoveries are possible, they are relatively rare, with only a small number of ransomware variants being decrypted for free. Periodically check the NoMoreRansom website for updates on the availability of free decryptors for IceFire.
3. Explore paid decryption services that may offer solutions for recovering encrypted files.
This presents a significant threat to businesses and individuals who rely on Linux servers or workstations for their operations. Unlike Windows or Mac systems, Linux-based operating systems are widely used in enterprise environments, web hosting, cloud infrastructure, and critical systems such as industrial control and IoT devices.
The emergence of IceFire ransomware targeting Linux systems underscores the need for robust cybersecurity measures, including regular software updates, security patches, network segmentation, and the use of strong authentication mechanisms. Organizations and individuals should also prioritize proactive monitoring for signs of compromise and have effective data backup and recovery strategies in place to mitigate the impact of a potential ransomware attack.
In light of this development, it is crucial for Linux system administrators and security professionals to stay informed about the latest threat intelligence, collaborate with industry peers, and implement best practices to protect against evolving ransomware threats. The proactive approach to cybersecurity is essential in safeguarding critical infrastructure and sensitive data from malicious actors seeking to exploit vulnerabilities in Linux-based systems.