A new version of a dangerous Windows ransomware (opens in new tab) has been observed targeting Linux devices, cybersecurity researchers have revealed.
What’s even more concerning is that the threat actors have made “thoughtful choices” to ensure the Linux strain targets the right devices and the right vulnerabilities.
In a press release, cybersecurity researchers from SentinelLabs confirmed that they had seen a Linux version of the IceFire ransomware for the first time. Named iFire, this variant targets a deserialization vulnerability in IBM Aspera Faspex file sharing software, tracked as CVE-2022-47986.
Big game hunting
But this is not the only surprising development when it comes to IceFire. The researchers also found that the threat actor is targeting companies in the media and entertainment sector in countries such as Turkey, Iran, Pakistan and the United Arab Emirates – countries “that are not typically a focus for organized ransomware actors.”
Instead, the threat actors viewed IceFire as a Windows-focused threat group chasing “big-game” — attacking large enterprises with dual extortion tactics, using numerous persistence mechanisms, and evading analysis by deleting log files.
Compared to Windows, Linux is a more difficult operating system to infect with ransomware, the researchers added, also saying that it is particularly difficult to implement at scale.
“Many Linux systems are servers,” they say. “Typical infection vectors such as phishing or drive-by downloads are less effective. To mitigate this, actors are leveraging application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.”
Despite the challenges, cybercriminals are increasingly attempting to deploy ransomware on Linux devices, the researchers conclude, saying IceFire’s evolution is just another argument that proves the case. The foundation for Linux-targeted ransomware was laid in 2021, they said, but the trend accelerated in 2022 as BlackBasta, Hive, Qilin, ViceSociety and others began targeting the operating system as well.