Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»IceFire Ransomware Portends a Broader Shift From Windows to Linux
    Cyber Security

    IceFire Ransomware Portends a Broader Shift From Windows to Linux

    justmattgBy justmattgMarch 9, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    In recent weeks, hackers have been deploying the “IceFire” ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

    A report from SentinelOne published today suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because “in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale,” Alex Delamotte, security researcher at SentinelOne, tells Dark Reading.

    But why, if Linux makes their job more difficult, would ransomware actors be moving increasingly toward it?

    The IceFire M.O.

    IceFire, first discovered last March, is standard-fare ransomware aligned with other “‘big-game hunting’ (BGH) ransomware families,” Delamotte wrote. BGH ransomware is characterized by “double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files.”

    But where IceFire was once an exclusively Windows-based malware, its recent attacks have taken place against Linux-based enterprise networks.

    The attack flow is straightforward. Having breached a target network, the IceFire attackers steal copies of any valuable or otherwise interesting data on target machines. Only then comes the encryption. What IceFire primarily looks for are user and shared directories, as these are important yet “unprotected parts of the file system that do not require elevated privileges to write or modify,” Delamotte explained.

    The attackers are careful, though. “IceFire ransomware doesn’t encrypt all files on Linux: It avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational.”

    IceFire tags encrypted files with an “.ifire” extension, as many IT admin have since discovered for themselves. It also automatically drops a no-frills ransom note — “All your important files have been encrypted. Any attempts to restore your files….” The note includes a unique hardcoded username and password the victim can use to log into the attackers’ Tor-based ransom payment portal. Once the job is complete, IceFire deletes itself.

    .ifire encrypted file code
    Source: SentinelOne

    How IceFire Is Changing

    Most of these details have remained consistent since IceFire’s first entry onto the scene. However, some important details have changed in recent weeks, including the victimology.

    Where IceFire was once primarily used in campaigns against the healthcare, education, and technology sectors, recent attacks have focused around entertainment and media organizations, primarily in Middle Eastern countries — Iran, Pakistan, Turkey, the United Arab Emirates, and so on.

    Other changes to IceFire’s M.O. derive from its operating system shift towards Linux. For example, SentinelOne has noted in the past that cyberattackers would distribute IceFire via phishing and spear-phishing emails, then use third-party, pen-test tools like Metasploit and Cobalt Strike to help it spread.

    But “many Linux systems are servers,” Delamotte points out, “so typical infection vectors like phishing or drive-by download are less effective.” So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

    Why Hackers Are Targeting Linux

    Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, “Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user.”

    A second factor, she guesses, “is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment.”

    Finally, “the prevalence of containerization and virtualization technologies in enterprise environments has expanded the potential attack surface for ransomware actors,” she says. Many of these technologies are Linux-based, so “as ransomware groups exhaust the supply of ‘low-hanging fruit,’ they will likely prioritize these higher effort targets.”

    Whatever the primary motive, if more threat actors follow in this same path, enterprises running Linux-based systems need to be ready.

    Defending against ransomware requires “a multi-faceted approach,” Delamotte says, prioritizing visibility, education, insurance, multi-layered security, and patching, all at once.

    “By taking a proactive approach to cybersecurity,” she says, “enterprises can increase their chances of successfully defending against ransomware attacks.”



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleHackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware
    Next Article IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑