Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser.
“The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack,” Assaf Morag, a data analyst at Aqua Security, said in a report.
The ransomware was discovered by the cloud security company after being trapped inside one of their honeypot servers. It is believed that the attacker gained access to the server, and then downloaded all the tools necessary to execute the encryption procedure.
Aqua Security characterized the attack as “simple and straightforward,” unlike other traditional ransomware-as-a-service (RaaS) schemes, adding that no ransom note was presented on the system, raising the possibility that the threat actor may have been experimenting with the modus operandi, or that the honeypot timed out before it could be complete.
The identity of the attacker is still unknown, but evidence uncovered during incident analysis suggests that he may be Russian, noting similarities to previous attacks on Jupyter notebooks.
“Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up,” Morag said.
