This new ransomware targets data visualization tool Jupyter Notebook

A new strain of Python ransomware targets Jupyter Notebook environments.

Jupyter Notebook is an open source web environment for data visualization. The modular software is used to model data in data science, computer science and machine learning. The project supports more than 40 programming languages ​​and is used by companies such as Microsoft, IBM and Google, in addition to numerous universities.

Aqua Security’s Team Nautilus recently discovered malware that honed this popular data tool.

While Jupyter Notebook allows users to share their content with trusted contacts, access to the app is secured via account credentials or tokens. In the same way that companies sometimes fail to secure their AWS buckets, making them publicly visible, misconfigurations of notebook computers have also been found.

The Python ransomware targets those who have accidentally made their environment vulnerable.

The researchers set up a honeypot containing an exposed Jupyter notebook application to observe the malware’s behavior. The ransomware operator accessed the server, opened a terminal, downloaded a range of malicious tools – including encryptors – and then manually generated a Python script that ran ransomware.

While the attack stopped without getting the job done, Team Nautilus was able to collect enough data to simulate the rest of the attack in a lab setting. The encryptor would copy and then encrypt files, delete all unencrypted content and delete itself.


Aqua Security

It should be noted that no ransom note was included as part of the package, which the team believes points to two things: either the attacker was experimenting with their creation on the honeypot, or the honeypot timed out before the ransomware attack. attack was completed.

While attribution isn’t concrete, the cybersecurity researchers say they may be “familiar” with the miscreants because of their trademark checks before an attack begins.

Clues indicate that the individual could be from Russia, and if it is the same attacker, they have been linked to cryptojacking attacks on Jupyter environments in the past.

A Shodan search reveals that hundreds of web-facing Jupyter Notebook environments are open and accessible (although some may also be honeypots).

“The attackers were initially accessed through misconfigured environments, then ran a ransomware script that encrypts every file on a certain path on the server and deletes itself after execution to hide the attack,” the researchers said. “Since Jupyter notebooks are used to analyze data and build data models, this attack could cause significant damage to organizations if these environments are not properly backed up.”

Also see

Do you have a tip? Safe contact via WhatsApp | Signal on +447713 025 499, or via Keybase: charlie0

Leave a Comment