IceFire
IceFire is a ransomware threat actor/operator associated with the ".ifire" file extension.
Profile source: Mallory opens in a new tabIceFire
Family profile
IceFire is a ransomware threat actor/operator associated with the ".ifire" file extension. Reporting cited in the content shows IceFire initially focused on Windows targets and later expanded to Linux, with SentinelLABS observing novel Linux variants deployed in enterprise intrusions against media and entertainment organizations worldwide in February 2023. Previous reporting noted targeting of technology companies, while the observed victims in the Linux campaign were located in Turkey, Iran, Pakistan, and the United Arab Emirates.
The Linux IceFire campaign used exploitation of CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex, to gain initial access and deploy payloads onto vulnerable CentOS-based file servers. This differed from previously reported Windows delivery via phishing and post-exploitation pivoting. Payloads were downloaded with wget from infrastructure hosted on a DigitalOcean droplet at 159.65.217.216:8080 into /opt/aspera/faspex. Open-source reporting linked this infrastructure to prior Aspera Faspex activity, and the Tor-based payment portal matched infrastructure previously tied to IceFire Windows attacks.
Observed tradecraft was consistent with big-game hunting ransomware, including double extortion, persistence mechanisms, and log deletion. The Linux encryptor appended the ".ifire" extension, dropped ransom notes into encrypted directories from an embedded resource, deleted its own binary after execution, and used a Tor hidden service for victim payment access. It skipped some extensions such as .sh and .cfg, excluded multiple system and operational file types, and avoided encrypting critical Linux paths including /boot, /dev, /etc, /lib, /proc, /sys, /usr, /var, and /run, while targeting user and shared directories such as /home, /mnt, /media, and /share. The content does not attribute IceFire to a nation state and does not identify any aliases or sub-groups beyond the name IceFire itself.
Ransomware.live