- SentinelOne’s research team, SentinelLabs, has published a whitepaper regarding the Linux version of the existing IceFire ransomware.
- The Linux version of the ransomware exploits the IBM Aspera Faspex application for infection, which had a vulnerability with a CVSS score o 9.8.
- IceFire ransomware targets many media and entertainment organizations all over the world, however, the most impacted countries are Turkey, Iran, Pakistan, and UAE.
SentinelOne research team, SentinelLabs, has warned enterprises of IceFire ransomware, which is now capable of targeting Linux-based systems alongside Windows systems. According to the whitepaper by SentinelLabs, the ransomware is currently being deployed on vulnerable Linux systems belonging to many media and entertainment organizations all over the world.
Exploiting IBM Aspera Faspex vulnerability
IceFire ransomware uses CVE-2022-47986 vulnerability in the IBM Aspera Faspex file exchange application, which has a CVSS score of 9.8. The vulnerability allows attackers to execute arbitrary code, thus deploy ransomware:
« BM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. »
The Linux version of IceFire is dubbed iFire, and it uses the .iFire extension after encrypting the files of its victims. According to SentinelLabs, it has impacted victims in Turkey, Iran, Pakistan, and UAE.
The Linux version is a 2.18 MB, 64-bit ELF binary, which runs on AMD64 systems. After abusing the vulnerability on IBM Aspera Faspex software, it downloads two payloads and saves them to /opt/aspera/faspex path. After execution, the initial file deletes itself to avoid detection.
Selective encryption
The ransomware avoids a couple of file extensions such as .cfg, .sh, .img, .jar, .cache, and .run, but specifically targets the files with the following extensions:
.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg .fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow .rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram .vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs .pptx .xls .xlsx
IceFire also avoids encrypting critical operating system components to make sure it continues running. The ransomware seems to be able to selectively encrypt the folders; SentinelLabs states that the most encrypted folder is /home/[user_name/, followed by /mnt, /media, and /share folders.
The ransom note
Currently, none of the VirusTotal engines can detect the IceFire binary as malware. IceFire drops a ransom note as expected, which leads victims to their Tor link.
