New version of dangerous Windows ransomware (opens in a new tab) Attacks targeting Linux devices have been observed, cybersecurity researchers have revealed.
Even more worrying is that the threat actors made “deliberate choices” to ensure that the Linux virus targeted the right devices and the right vulnerabilities.
In a press release, cybersecurity researchers from SentinelLabs confirmed that they have discovered a Linux version of the IceFire ransomware for the first time. The variant, dubbed iFire, targets a deserialization vulnerability in IBM’s Aspera Faspex file-sharing software, tracked as CVE-2022-47986.
big game hunting
But that’s not the only surprising development for IceFire. The researchers also found threat actors targeting businesses in the media and entertainment industry in countries such as Turkey, Iran, Pakistan, and the United Arab Emirates — countries that “are not typically a focus for organized ransomware actors.”
Instead, threat actors believe IceFire is a Windows-centric threat group that aims to engage in “big game hunting”—targeting large enterprises, employing double-extortion tactics, using numerous persistence mechanisms, and exploiting Evade analysis.
Linux is a more difficult operating system to be infected with ransomware than Windows, the researchers added, saying this is especially difficult to implement on a large scale.
“Many Linux systems are servers,” they say. “Typical infection vectors such as phishing or drive-by downloads are less effective. To overcome this, actors turn to exploiting application vulnerabilities, as demonstrated by IceFire operators deploying payloads through an IBM Aspera exploit.”
Still, despite the challenges, threat actors are increasingly looking to deploy ransomware to Linux devices, and the evolution of IceFire is just another argument to prove it, the researchers concluded. The groundwork for ransomware targeting Linux was laid in 2021, but the trend accelerated in 2022 with the emergence of BlackBasta, Hive, Qilin, ViceSociety, and others, also starting to target the operating system, they said.
