Researchers have discovered a new Python-based ransomware strain that is specifically designed to target exposed Jupyter Notebook applications. Jupyter Notebook is a web-based interactive computing platform that allows editing and running of Python-based programs in a web browser.
The threat actors behind this attack were seen first gaining access to the server running the exposed Jupyter Notebook application and downloading the necessary tools to carry out the encryption process. After this, they manually created a Python script within Jupyter that acted as the encryptor before executing it. Upon execution, the script prompted the threat actors for a directory to encrypt and a password to use for encryption before encrypting each file in the directory and any sub-directories using AES. Upon completion, the Python file would delete itself to try to conceal the attack. No ransom note was found in this original attack, meaning the adversary may have been experimenting with the attack or were otherwise unable to deploy the file.
A unique trademark file was seen created prior to the encryption process, making it likely that this attack was executed by a known threat actor with Russian origins. This trademark file has been seen previously in many cryptomining attacks targeting Jupyter Notebook and JupyterLab environments.