ClickCease New Variant of IceFire Ransomware Discovered in Linux

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

New Variant of IceFire Ransomware Discovered in Linux

Rohan Timalsina

March 30, 2023 - TuxCare expert team

A new variant of IceFire ransomware has been discovered that targets Linux systems. In the past, it has been found to target Windows only. This ransomware is known for targeting technology companies, while in Linux, it appears to be targeting media and entertainment companies.

The ransomware operators target large enterprises and utilize techniques like double extortion, evasion methods, and persistence mechanisms. With double extortion, they encrypt data and steal it, and their demands are usually twice as high as the typical payment.


IceFire Linux Ransomware Tactics

The Linux variant of IceFire ransomware is a 64-bit ELF (executable and linkable) binary file with a size of 2.18 MB. It is compiled using the open-source GCC (GNU compiler collection) for the AMD64 system processor architecture. The ransomware’s payload is compatible with Intel-based distributions of Ubuntu and Debian, and it has been observed attacking hosts that run CentOS.

The IceFire Linux ransomware employs an RSA encryption algorithm with a hard-coded RSA public key embedded within the binary. After targeting a directory for file encryption, the ransomware’s payload leaves a ransom note sourced from an embedded resource in the binary. This note contains a predefined username and password to access the ransom payment website, which is hosted on a Tor-hidden service to ensure anonymity.

When a system downloads and executes IceFire ransomware payloads, they encrypt files and append the “.ifire” extension to its filenames. After encryption, the payload is programmed to delete itself to avoid detection.

However, the Linux version of IceFire ransomware is specifically designed to exclude certain critical files and paths from encryption, including file extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p, as well as paths such as /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, and /run. This ensures that critical parts of the system are not encrypted, enabling them to remain operational.



Linux is considered a secure operating system that outperforms both Windows and macOS regarding security. However, the increasing popularity of Linux and the high-value devices it powers worldwide have made it a more attractive target for attackers. Therefore, it is crucial for administrators and organizations to implement the appropriate protections to defend against malware, rootkits, and other malicious threats that Linux users are exposed to.

There are various security tips and measures that you can follow to secure your Linux operating system. For example, to reduce the risk of potential damage, you can back up critical files and diversify the storage media to prevent a single point of failure. Although this approach doesn’t avoid an attack, it can help reduce the impact of any potential damage.

TuxCare offers KernelCare Enterprise as a live patching solution that automatically applies the latest security patches for various Linux distributions. This process eliminates the need for system reboots, allowing companies to remain up-to-date with the latest patches without having to schedule any downtime.


The sources for this article include a story from LinuxSecurity.

New Variant of IceFire Ransomware Discovered in Linux
Article Name
New Variant of IceFire Ransomware Discovered in Linux
A new variant of IceFire ransomware has been discovered that targets Linux systems, mostly media and entertainment companies.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter