The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021.
Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation."
The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself.
"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed.
Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."
Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
