Researchers Discover Python-Based Ransomware Targeting Jupyter Notebook Web Applications

Researchers warn of future ransomware attacks on web applications used by data scientists

Researchers have discovered what they believe to be the first Python-based ransomware sample specifically targeting Jupyter notebooks.

Python is not commonly used for developing malware, with criminals preferring languages ​​such as Go, DLang, Nim and Rust. Nevertheless, this is not the first Python ransomware. In October 2021, Sophos reported Python ransomware specifically targeting VMware ESXi servers.

The new sample was discovered by researchers at Aqua Security, after being caught in one of its honeypots. The ransomware specifically targets Jupyter Notebooks, an open-source web application used by data professionals to work with data, write and run code, and visualize results. This ransomware encrypts every file on a given path on the server and then deletes itself after execution.

“Since Jupyter Notebooks are used to analyze data and build data models, this attack can cause significant damage to organizations if these environments are not properly backed up,” researchers warn in an alert published on March 29, 2022.

Since Jupyter notebooks are web applications, they suffer from all the standard web application issues, including misconfigured or missing access authentication. Nautilus researchers found about 200 Jupyter laptops accessible on the Internet (some, but not all, may be honeypots) without authentication. Each of these could be accessed by an attacker with nothing more than a browser, and the environment could be manually infected.

Researcher Aqua Assaf Morag said safety week“There are over 11,000 servers with Jupyter laptops that can be accessed on the internet, so you could run a brute force attack and possibly gain access to some of them – you’d be surprised how big it can be easy to guess these passwords.”

The sample trapped by Aqua is not a complete sample. It does not include, for example, proof of a ransom note. “We suspect,” Morag said safety week“that the attack has reached a timeout on the honeypot, or that the ransomware is still being tested ahead of real-world attacks.”

Nevertheless, the researchers believe, from what they have, that it is ransomware rather than a wiper weapon. “Windshield wipers usually exfiltrate data and erase it or just erase it,” Morag continued. “We saw no attempt to send the data outside the server and the data was not simply erased, it was encrypted with a password (manually chosen by the attacker). This is a another factor that leads us to believe that it is a ransomware attack rather than a wiping one.

He also suspects – due to a resemblance to other Python ransomware – that the attacker simply took the existing code, modified it and tweaked it to his own needs. It does not have any information that can attribute the ransomware to a known group. However, he comments: “The first thing the attacker did to figure out that he can download files from a remote source was to download a text file containing only the word ‘blat’. It’s a bad word in Russian and something we’ve seen in the past from Russian attackers.

It is highly likely that this partial ransomware attack detected by Aqua is the precursor to actual attacks against Jupyter Notebooks. Since a built-in feature of the application allows the user to open a shell terminal with additional access to the server, the risk of harm is considerable.

Aqua recommends that access to Jupyter networks be properly authenticated; incoming traffic is controlled by eliminating Internet access or limiting it to VPN access; use must be restricted to unprivileged or limited-privileged users; and outgoing traffic is controlled as completely as possible.

Aqua Security provides a cloud native application protection platform (CNAPP). It was founded in 2015 and achieved unicorn status in 2021.

Related: Necro Python Botnet Begins Targeting Visual Tools DVRs

Related: Facebook open source analysis tool for Python code

Related: CannibalRAT written in Python used in targeted attacks

Related: Despite warnings, cloud misconfiguration issue still a concern

Kevin Townsend is a senior contributor to SecurityWeek. He wrote about high-tech issues long before Microsoft was born. For the past 15 years, he has specialized in information security; and has had several thousand articles published in dozens of different magazines – from the Times and the Financial Times to current and former IT magazines.

Previous chronicles by Kevin Townsend:

Comments are closed.