IceFire ransomware now encrypts both Linux and Windows systems


Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.

SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February, according to a report shared in advance with BleepingComputer.

Once inside their networks, the attackers deploy their new malware variant to encrypt the victims’ Linux systems.

When executed, IceFire ransomware encrypts files, appends the ‘.ifire’ extension to the filename, and then covers its tracks by deleting itself and removing the binary.

It’s also important to note that IceFire doesn’t encrypt all files on Linux. The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.

This calculated approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.

While active since at least March 2022 and mostly inactive since the end of November, IceFire ransomware returned in early January in new attacks, as shown by submissions on the ID-Ransomware platform.

IceFire ransomware ID-R submissions

​IBM Aspera Faspex targeting

IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets’ vulnerable systems and deploy their ransomware payloads.

This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February [1, 2] after attack surface management firm Assetnote published a technical report containing exploit code.

CISA also added the security flaw to its catalog of vulnerabilities exploited in the wild on February 2021, ordering federal agencies to patch their systems until March 14.

“In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective,” SentinelLabs says.

“To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.”

Shodan shows more than 150 Aspera Faspex servers exposed online, most in the United States and China.

Internet-exposed IBM Aspera Faspex serversInternet-exposed IBM Aspera Faspex servers (Shodan)

​​Most ransomware strains encrypt Linux servers

IceFire ransomware’s move to expand Linux targeting after previously focusing on attacking only Windows systems is a strategic shift that aligns with other ransomware groups that have also started attacking Linux systems in recent years.

Their move matches a trend where enterprises transitioned to Linux-powered VMware ESXi virtual machines, which feature improved device management and a lot more efficient resource handling.

After deploying their malware on ESXi hosts, the ransomware operators can use a single command to encrypt the victims’ Linux servers en masse.

While IceFire ransomware doesn’t specifically target VMware ESXi VMs, its Linux encryptor is just as efficient, as shown by victims’ encrypted files submitted to the ID-Ransomware platform for analysis.

“This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023,” SentinelLabs says.

“While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal.”

Similar encryptors have been released by multiple other ransomware gangs, including Conti, LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive.

Emsisoft CTO Fabian Wosar previously told BleepingComputer that other ransomware gangs (besides the ones we have already reported on), including Babuk, GoGoogle, Snatch, PureLocker, Mespinoza, RansomExx/Defray, and DarkSide, have developed and deployed their own Linux encryptors in attacks.


  • Frank108 Photo Frank108 – 1 day ago

    Funny how people on internet are doing copy paste everywhere, articles in particular.
    There is a huge difference of Windows and linux.
    It can be compiled or copied on the linux, but simebody ir something must do it, particularly with root account, . It can’t go in wild like on the windows.
    So, the article is pompous and incomplete.

  • Lawrence Abrams Photo Lawrence Abrams – 22 hours ago

    Most enterprise-targeting ransomware attacks on Windows is a human orchestrating it too.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.24 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,367 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,124 Downloads


Related posts

FBI: Zeppelin ransomware may encrypt devices multiple times in attacks

Sarah Henriquez

Google blocks largest HTTPS DDoS attack ‘reported to date’

Sarah Henriquez

Ransomware attack forces French hospital to transfer patients

Sarah Henriquez

Leave a Comment