IceFire Ransomware: Malicious software operates with complex encryption algorithms

The IceFire ransomware has been around since 2021 and is renowned for its incredibly complex and powerful encryption algorithms that make it challenging to recover files without paying the ransom.

A version of malicious software encrypts files on a victim’s computer or network, making them unavailable until the attacker is paid a ransom. Phishing emails, software weaknesses, or remote desktop protocols (RDP) with passwords are the most common ways it spreads. The hackers behind IceFire demand payment in bitcoin and frequently make threats to erase or make the encrypted material available to the public if their demands are not satisfied.

Attackers used IBM Aspera Faspex’s newly fixed deserialization vulnerability (CVE-2022-47986) to launch the IceFire ransomware. A 2.18 MB, 64-bit ELF binary built with GCC for AMD64 architecture is the most recent version of IceFire.

Along with the RSA public key, many valid OpenSSL procedures that are hardcoded into the binary of the malicious application are statically linked as well. Under IceFire, CentOS machines are running a vulnerable version of Aspera Faspex. The system uses wget to download two payloads and save them to an Aspera subdirectory. The payloads are kept in a droplet on a DigitalOcean account.

When IceFire is executed, the files are encrypted and given the “.ifire” file extension. With the special hardcoded username and password that are immediately dropped in a ransom letter, the victim can access the attackers’ Tor-based ransom payment gateway.

It is also interesting that IceFire does not encrypt files with specific extensions that are connected to executables, applications, or system functionality. As it avoids some paths and doesn’t encrypt every file under Linux, it protects the functionality of crucial system components. It eventually deletes itself by erasing the binary in order to leave no trace.

Researchers discovered that the group began breaching the networks of several media and entertainment companies worldwide in the middle of February 2023. It is also noticed that most of the attacks have been targeted at businesses in Turkey, Iran, Pakistan, and the United Arab Emirates, which are not typically targeted by organized ransomware crews. It also appears that most threat detection tools are ineffective at detecting the new Linux version.