The IceFire Ransomware Group Targets Linux Systems

The IceFire ransomware group has added capabilities designed to target Linux systems and has attacked several media sector organizations.

“The attacks leverage an exploit for a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986),” TheHackerNews reported.

“The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that's installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. It's also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.”

Takeaway

This is just the latest evidence of a rapidly growing trend where ransomware threat actors are expanding their capabilities to include attacks on Linux distributions. While this may seem trivial, with groups like IceFire, LockBit, Black Basta, and Cl0p targeting Linux environments, we can expect some attacks to cause widespread disruptions across several key sectors, impacting a larger population of collateral victims.

Attackers have limited resources and make strategic decisions based on anticipated ROI, so they traditionally focused on Windows because it is deployed on most systems. Linux runs approximately 80% of web servers, most smartphones, supercomputers, and many embedded and IoT devices used in manufacturing. Linux is also favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and even the backbone of the internet.

Attacks on Linux systems are potentially devastating. These attacks could have a broad impact like the disruption experienced from the Colonial Pipeline attack. The "always on" nature of Linux systems not only provides a strategic beachhead for moving laterally throughout the network, but attacks on Linux systems would also disrupt the most critical parts of an organization's network. Thus, attackers can demand higher ransom amounts.

While attacks on Windows systems make for a bad day or week, attacks on Linux systems could make for bad weeks or months - we should all be monitoring this trend closely.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.