IceFire

Malware updated 6 months ago (2024-05-04T21:18:16.470Z)

Download STIX

Preview STIX

IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwide with a new dedicated encryptor came in the wake of similar moves by other established ransomware groups such as Cl0p, Royal, and Akira. This trend signifies a broader shift in the malware landscape towards developing cross-platform versions of ransomware. The IceFire ransomware exploits a vulnerability in IBM technology (CVE-2022-47986), which was first reported to IBM on October 6, 2022, and subsequently patched on December 8, 2022. Despite the patch being issued, the IceFire group began exploiting this vulnerability shortly after, shifting their focus from targeting Windows to Linux systems. The ransomware primarily targets servers, as Linux is most often run on these systems. Automated scans are used to identify unpatched instances, which are then exploited to infiltrate and move laterally through the network of their targets. The IceFire ransomware operation has become a significant cyber threat since its emergence in April of this year. While the vulnerability it exploits was identified and patched early in the year, just last month, multiple security vendors spotted the IceFire ransomware gang deploying a novel Linux version of their ransomware to exploit the vulnerability. The operators of the IceFire ransomware have specifically targeted the Linux systems of media and entertainment companies, mainly in Turkey, Iran, Pakistan, and the UAE. This indicates a calculated strategy to exploit specific sectors and regions, marking IceFire as a formidable player in the cybercrime landscape.

Description last updated: 2024-05-04T20:40:55.939Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Linux

Vulnerability

Windows

Encrypt

Encryption

Malware

Clop

Exploit

Exploits

Phishing

Cobalt Strike

Ubuntu

Ransom

Debian

exploitation

Esxi

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Akira Malware is associated with IceFire. Akira is a form of malware, specifically ransomware, that has been involved in a significant number of cyber attacks since its first appearance. It has been particularly active since August 2024, when it was observed by Arctic Wolf Labs to be used in conjunction with another ransomware called Fog. T	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-47986 Vulnerability is associated with IceFire. CVE-2022-47986 is a critical software vulnerability, specifically a deserialization flaw, found in IBM's Aspera Faspex file-sharing application. This vulnerability has been exploited by threat actors to deploy ransomware, significantly compromising the security of systems using this software. The vu	Unspecified	3

Source Document References

Information about the IceFire Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	a year ago	The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU	a year ago	Akira Ransomware Mutates to Target Linux Systems, Adds TTPs
CERT-EU	a year ago	Ces vulnérabilités qui nécessitent plus qu’un correctif \| LeMagIT
DARKReading	2 years ago	Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug
CERT-EU	a year ago	Is automation driving the recent wave of ransomware attacks?
CERT-EU	a year ago	Cybersecurity threatscape: Q1 2023
CERT-EU	a year ago	Newbie Akira Ransomware Builds Momentum With Linux Shift \| #ransomware \| #cybercrime \| National Cyber Security Consulting
DARKReading	a year ago	Newbie Akira Ransomware Builds Momentum With Linux Shift
CERT-EU	a year ago	2023 Ransomware: Detection and Prevention - ReliaQuest
CERT-EU	2 years ago	Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation
CERT-EU	a year ago	MOVEit transfer exploited to drop file-stealing SQL Shell – Global Security Mag Online
CERT-EU	2 years ago	The Week in Ransomware - March 10th 2023 - Police Take Action
CERT-EU	2 years ago	Shell DDoS Malware Attacks Poorly Managed Linux SSH Servers
InfoSecurity-magazine	2 years ago	RTM Locker Ransomware Targets Linux Architecture
DARKReading	2 years ago	IceFire Ransomware Portends a Broader Shift From Windows to Linux
Securityaffairs	2 years ago	Recently discovered IceFire Ransomware now also targets Linux systems
CSO Online	2 years ago	New variant of the IceFire ransomware targets Linux enterprise systems
CERT-EU	2 years ago	IceFire Ransomware Attacks Both Windows and Linux Enterprise Networks
CERT-EU	2 years ago	IceFire ransomware targets Linux, exploits IBM vulnerability \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting