In latest weeks, hackers have been deploying the “IceFire” ransomware in opposition to Linux enterprise networks, a famous shift for what was as soon as a Home windows-only malware.
A report from SentinelOne revealed right now means that this will likely characterize a budding pattern. Ransomware actors have been concentrating on Linux programs greater than ever in cyberattacks in latest weeks and months, notable not least as a result of “compared to Home windows, Linux is tougher to deploy ransomware in opposition to, significantly at scale,” Alex Delamotte, safety researcher at SentinelOne, tells Darkish Studying.
However why, if Linux makes their job tougher, would ransomware actors be shifting more and more towards it?
The IceFire M.O.
IceFire, first found final March, is standard-fare ransomware aligned with different “‘big-game looking’ (BGH) ransomware households,” Delamotte wrote. BGH ransomware is characterised by “double extortion, concentrating on giant enterprises, utilizing quite a few persistence mechanisms, and evading evaluation by deleting log recordsdata.”
However the place IceFire was as soon as an completely Home windows-based malware, its latest assaults have taken place in opposition to Linux-based enterprise networks.
The assault circulation is easy. Having breached a goal community, the IceFire attackers steal copies of any priceless or in any other case fascinating information heading in the right direction machines. Solely then comes the encryption. What IceFire primarily appears to be like for are person and shared directories, as these are necessary but “unprotected components of the file system that don’t require elevated privileges to jot down or modify,” Delamotte defined.
The attackers are cautious, although. “IceFire ransomware would not encrypt all recordsdata on Linux: It avoids encrypting sure paths, in order that vital components of the system aren’t encrypted and stay operational.”
IceFire tags encrypted recordsdata with an “.ifire” extension, as many IT admin have since found for themselves. It additionally robotically drops a no-frills ransom observe — “All of your necessary recordsdata have been encrypted. Any makes an attempt to revive your recordsdata….” The observe features a distinctive hardcoded username and password the sufferer can use to log into the attackers’ Tor-based ransom cost portal. As soon as the job is full, IceFire deletes itself.
How IceFire Is Altering
Most of those particulars have remained constant since IceFire’s first entry onto the scene. Nevertheless, some necessary particulars have modified in latest weeks, together with the victimology.
The place IceFire was as soon as primarily utilized in campaigns in opposition to the healthcare, schooling, and expertise sectors, latest assaults have centered round leisure and media organizations, primarily in Center Japanese nations — Iran, Pakistan, Turkey, the United Arab Emirates, and so forth.
Different modifications to IceFire’s M.O. derive from its working system shift in direction of Linux. For instance, SentinelOne has famous up to now that cyberattackers would distribute IceFire through phishing and spear-phishing emails, then use third-party, pen-test instruments like Metasploit and Cobalt Strike to assist it unfold.
However “many Linux programs are servers,” Delamotte factors out, “so typical an infection vectors like phishing or drive-by obtain are much less efficient.” So as a substitute, latest IceFire assaults have exploited CVE-2022-47986 — a vital distant code execution (RCE) vulnerability within the IBM Aspera information switch service, with a CVSS score of 9.8.
Why Hackers Are Concentrating on Linux
Delamotte posits a couple of causes for why extra ransomware actors are selecting Linux as of late. For one factor, she says, “Linux-based programs are regularly utilized in enterprise settings to carry out essential duties similar to internet hosting databases, Internet servers, and different mission-critical purposes. Consequently, these programs are sometimes extra priceless targets for ransomware actors on account of the potential of a bigger payout ensuing from a profitable assault, in comparison with a typical Home windows person.”
A second issue, she guesses, “is that some ransomware actors might understand Linux as an unexploited market that might yield the next return on funding.”
Lastly, “the prevalence of containerization and virtualization applied sciences in enterprise environments has expanded the potential assault floor for ransomware actors,” she says. Many of those applied sciences are Linux-based, so “as ransomware teams exhaust the availability of ‘low-hanging fruit,’ they’ll probably prioritize these larger effort targets.”
Regardless of the major motive, if extra risk actors comply with on this identical path, enterprises working Linux-based programs have to be prepared.
Defending in opposition to ransomware requires “a multi-faceted strategy,” Delamotte says, prioritizing visibility, schooling, insurance coverage, multi-layered safety, and patching, abruptly.
“By taking a proactive strategy to cybersecurity,” she says, “enterprises can improve their possibilities of efficiently defending in opposition to ransomware assaults.”
