This new ransomware targets data visualization tool Jupyter Notebook

Misconfigured environments are the entry point for the ransomware strain.
Written by Charlie Osborne, Contributing Writer

A new strain of Python ransomware is targeting environments using Jupyter Notebook. 

Jupyter Notebook is an open source web environment for data visualization. The modular software is used to model data in data science, computing, and machine learning. The project supports over 40 programming languages and is used by companies including Microsoft, IBM, and Google, alongside numerous universities. 

Aqua Security's Team Nautilus recently discovered malware that has honed in on this popular data tool. 

While Jupyter Notebook allows users to share their content with trusted contacts, access to the app is secured through account credentials or tokens. However, in the same way, that businesses sometimes do not secure their AWS buckets, leaving them open for anyone to view, Notebook misconfigurations have also been found. 

The Python ransomware targets those that have accidentally left their environments vulnerable.

The researchers set up a honeypot containing an exposed Jupyter notebook application to observe the malware's behavior. The ransomware operator accessed the server, opened a terminal, downloaded a set of malicious tools -- including encryptors -- and then manually generated a Python script that executed ransomware. 

While the assault stopped without finishing the job, Team Nautilus was able to grab enough data to simulate the rest of the attack in a lab environment. The encryptor would copy and then encrypt files, delete any unencrypted content, and delete itself. 

Aqua Security

It should be noted that no ransom note was included as part of the package, which the team suspects indicate one of two things: either the attacker was experimenting with their creation on the honeypot, or the honeypot timed out before the ransomware attack was completed. 

While attribution isn't concrete, the cybersecurity researchers say they might be "familiar" with the miscreant due to their trademark checks before an attack begins. 

Clues indicate the individual could be from Russia, and if it is the same attacker, they have been linked to cryptojacking attacks on Jupyter environments in the past. 

A Shodan search reveals several hundred internet-facing Jupyter Notebook environments are open and accessible (although some may also be honeypots.)

"The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," the researchers said. "Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren't properly backed up."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards