IceFire is standard-fare ransomware. It is a kind known as ‘big-game hunting’ (BGH) ransomware. What is BGH ransomware? It is a kind of ransomware that is characterized by a double extortion model that targets large enterprises, using numerous persistence mechanisms. It is very hard to detect since it covers its tracks by deleting log files.
IceFire was an exclusively Windows-based malware, however, its recent attacks have taken place against Linux-based enterprise networks. This is a very bad trend. The question is how hard is it to modify ransomware to attack other operating systems? Not as hard as we may have thought by the IceFire example.
How does IceFire work? The attack is typical of most ransomware. Once a company is breached the IceFire attackers make copies of valuable and interesting data. Once they have copies of the data secured they do the encryption. IceFire is looking for user and shared directories. These unprotected parts of the Linux file system do not require extra privileges to write or modify.
IceFire ransomware is strategic and doesn’t encrypt all files on Linux. Certain critical parts of the system are not encrypted and remain operational. IceFire tags encrypted files with a “.ifire” extension. It then creates a ransom note — “All your important files have been encrypted. Any attempts to restore your files….” The note includes a unique hardcoded username and password the company can use to log into the attackers’ Tor-based (The Onion Router TOR – a router that does not allow tracing) ransom payment portal. Once the extortion is complete and payment is made, IceFire deletes itself.
So why this overview of IceFire, one of many instances of ransomware? Well, first it is one of the few ransomwares to jump operation systems. It now attacks Windows and Linux systems. It further highlights that security needs to be first and foremost. Keep up-to-date with the latest releases and patches. You should institute multifactor authentication. Do everything possible to implement a zero-trust environment.
To that end, NonStop, though no threat has been detected, is being very proactive in developing ransomware solutions. We have spoken about these at the 2023 NonStop Technical Boot Camp and briefly at SUNTug. The first release will be for applications, such as payment authorization that do not need large portions of the data to be synchronized. The business can function with just the application. By providing an air-gapped (not connected to production system) and a people-gapped (not susceptible to insider attack) stand-by system a company that was attacked continued to operate in less than an hour while preserving the ‘attacked’ system for forensic analysis to catch the bad guys. In subsequent releases, we will be adding the capability of applying ‘clean’ data to the standby system from an immutable data source.
So stay tuned as we provide capabilities to thwart the bad guys.