IceFire

Malware updated a month ago (2024-11-29T14:13:20.160Z)
Download STIX
Preview STIX
IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwide with a new dedicated encryptor came in the wake of similar moves by other established ransomware groups such as Cl0p, Royal, and Akira. This trend signifies a broader shift in the malware landscape towards developing cross-platform versions of ransomware. The IceFire ransomware exploits a vulnerability in IBM technology (CVE-2022-47986), which was first reported to IBM on October 6, 2022, and subsequently patched on December 8, 2022. Despite the patch being issued, the IceFire group began exploiting this vulnerability shortly after, shifting their focus from targeting Windows to Linux systems. The ransomware primarily targets servers, as Linux is most often run on these systems. Automated scans are used to identify unpatched instances, which are then exploited to infiltrate and move laterally through the network of their targets. The IceFire ransomware operation has become a significant cyber threat since its emergence in April of this year. While the vulnerability it exploits was identified and patched early in the year, just last month, multiple security vendors spotted the IceFire ransomware gang deploying a novel Linux version of their ransomware to exploit the vulnerability. The operators of the IceFire ransomware have specifically targeted the Linux systems of media and entertainment companies, mainly in Turkey, Iran, Pakistan, and the UAE. This indicates a calculated strategy to exploit specific sectors and regions, marking IceFire as a formidable player in the cybercrime landscape.
Description last updated: 2024-05-04T20:40:55.939Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Linux
Vulnerability
Windows
Encrypt
Encryption
Malware
Exploit
Exploits
Phishing
Cobalt Strike
Ubuntu
Ransom
Debian
exploitation
Esxi
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with IceFire. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
3
The Akira Malware is associated with IceFire. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2022-47986 Vulnerability is associated with IceFire. CVE-2022-47986 is a critical software vulnerability, specifically a deserialization flaw, found in IBM's Aspera Faspex file-sharing application. This vulnerability has been exploited by threat actors to deploy ransomware, significantly compromising the security of systems using this software. The vuUnspecified
3
Source Document References
Information about the IceFire Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
DARKReading
2 years ago
Securityaffairs
2 years ago
CSO Online
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago