A variant of ransomware, commonly known for encrypting Windows systems, was also recently discovered for Linux devices. According to a SentinelLabs report, Linux versions of IceFire ransomware have recently breached the networks of various media and entertainment organizations around the world. Ransomware operators do this by exploiting a deserialization vulnerability in IBM’s Aspera Faspex file sharing software. After gaining access to the victim’s system, they will distribute the IceFire ransomware, which will encrypt the data and append the .ifire extension to the infected files. The ransomware will eventually delete itself to cover its tracks.

Interestingly, IceFire does not encrypt all files on Linux. In fact, it avoids encrypting certain paths to ensure critical parts of the system remain operational and prevent further system damage.

When the ransomware finishes encrypting the data, it sends a ransom message asking the victim to contact the malware’s operators within five days. If they don’t, the note says the victim’s details will be made publicly available online.

IceFire is just one of many types of ransomware that is starting to target Linux systems. “Although the foundation was laid in 2021, the Linux ransomware trend accelerated in 2022 as leading groups added Linux encryptors to their arsenal,” SentinelLabs blog post. Some of these options are Conti, LockBit, Hive, and HelloKitty, among others.