Researchers have discovered a new Python-based ransomware strain that is specifically designed to target exposed Jupyter Notebook applications. Jupyter Notebook is a web-based interactive computing platform that allows editing and running of Python-based programs in a web browser.
The threat actors behind this attack were seen first gaining access to the server running the exposed Jupyter Notebook application and downloading the necessary tools to carry out the encryption process. After this, they manually created a Python script within Jupyter that acted as the encryptor before executing it. Upon execution, the script prompted the threat actors for a directory to encrypt and a password to use for encryption before encrypting each file in the directory and any sub-directories using AES. Upon completion, the Python file would delete itself to try to conceal the attack. No ransom note was found in this original attack, meaning the adversary may have been experimenting with the attack or were otherwise unable to deploy the file.
A unique trademark file was seen created prior to the encryption process, making it likely that this attack was executed by a known threat actor with Russian origins. This trademark file has been seen previously in many cryptomining attacks targeting Jupyter Notebook and JupyterLab environments.
Any Jupyter Notebook applications should be properly secured with authentication and only be accessible via HTTPS. This will help prevent threat actors from being able to easily access the application, especially if it is exposed to the Internet. Likewise, if possible, any Jupyter Notebook instances should not be accessible from the Internet and should be locked down to internal network access only. If this is not feasible due to accessibility requirements, access from the Internet should be configured so that only required IP addresses can access the application. A regular review of access should also be performed on the Jupyter Notebook application by querying the user database to validate that there are not any unauthorized or unknown users with access. Finally, as with all ransomware or wiper attacks, it is important to have proper and regular backup mechanisms of critical infrastructure to help prevent data loss from an attack.