This dangerous Windows ransomware is now going after Linux networks too

(Image credit: Pixabay)

A new version of a dangerous Windows ransomware has been observed targeting Linux devices, cybersecurity researchers have revealed.

What's even more concerning is that the threat actors have made “thoughtful choices” to make sure the Linux strain targets the right devices and the right vulnerabilities.

In a press release, cybersecurity researchers from SentinelLabs confirmed they had  seen a Linux version of IceFire ransomware for the first time. This variant has been dubbed iFire, and it targets a deserialization vulnerability in IBM Aspera Faspex file sharing software, tracked as CVE-2022-47986. 

Big game hunting

But this is not the only surprising development when it comes to IceFire. The researchers have also found the threat actor targeting businesses in the media and entertainment sectors in countries like Turkey, Iran, Pakistan, and the United Arab Emirates - countries “which are typically not a focus for organized ransomware actors.”

Instead, the threat actors considered IceFire a Windows-centric threat group going for “big-game hunting” - targeting large enterprises with double extortion tactics, using countless persistence mechanisms, and evading analysis by deleting log files. 

Compared to Windows, Linux is a more difficult operating system to infect with ransomware, the researchers added, also saying that this is particularly difficult to pull off at scale. 

“Many Linux systems are servers,” they say. “Typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.”

Still, despite the challenges, threat actors are increasingly looking to deploy ransomware to Linux devices, the reserachers conclude, saying that the evolution of IceFire is just another argument proving the case. The groundwork for Linux-targeting ransomware was laid in 2021, they said, but the trend accelerated in 2022 with BlackBasta, Hive, Qilin, ViceSociety, and others, started targeting the operating system, as well.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.