Summary of IceFire Ransomware
- IceFire Ransomware was first observed in August 2022.
- IceFire is a multi-pronged extortion threat. The attackers exfiltrate all enticing data prior to encrypting devices. Victims are then extorted into paying the ransom to prevent leakage and decrypt their data.
What Does IceFire Ransomware Target?
- Large enterprises, high-value targets
- Focus on healthcare and education sectors
How Does IceFire Ransomware Spread?
- Phishing and spear phishing emails
- Third-party framework (e.g., Empire, Metasploit, Cobalt Strike)
IceFire Ransomware Technical Details
The malware contains most features considered standard for ransomware (e.g., VSS deletion, multiple persistence mechanisms, log removal). Victims are instructed to visit a TOR-based payment portal to initiate communication with the attacker. Victims are provided unique credentials for their payment portal login, allowing them to chat and interact with their attackers. At this time, there are only Windows versions of IceFire ransomware.
How to Detect IceFire Ransomware
- The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with IceFire ransomware.
How to Mitigate IceFire Ransomware
- The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with IceFire.
How to Remove IceFire Ransomware
- SentinelOne customers are protected from IceFire ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows, the rollback will revert any malicious impact on the device and restore encrypted files to their original state.