Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor. SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February, according to a report shared in advance with BleepingComputer.
When executed, IceFire ransomware encrypts files, appends the '.ifire' extension to the filename, and then covers its tracks by deleting itself and removing the binary.
It's also important to note that IceFire doesn't encrypt all files on Linux. The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.
This calculated approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.
While active since at least March 2022 and mostly inactive since the end of November, IceFire ransomware returned in early January in new attacks, as shown by submissions on the ID-Ransomware platform.