Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps

Researchers warn of likely future ransomware attacks against web applications used by data scientists

Researchers have found what they believe to be the first Python-based ransomware sample specifically targeting Jupyter Notebooks.

Researchers warn of likely future ransomware attacks against web applications used by data scientists

Researchers have found what they believe to be the first Python-based ransomware sample specifically targeting Jupyter Notebooks.

Python is not commonly used for developing malware, with criminals preferring languages like Go, DLang, Nim and Rust. Nevertheless, this is not the first Python ransomware. In October 2021, Sophos reported on a Python ransomware specifically targeting VMware ESXi servers.

The new sample was discovered by researchers at Aqua Security, after it was caught in one of its honeypots. The ransomware specifically targets Jupyter Notebooks, an open-source web app used by data professionals to work with data, write and execute code, and visualize the results. This ransomware encrypts every file on a given path on the server, and then deletes itself after execution.

“Since Jupyter Notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up,” warn the researchers in an alert issued on March 29, 2022.

Since Jupyter Notebooks are web apps, they suffer from all the standard web app issues, including misconfigured or missing access authentication. The Aqua Security researchers found around 200 internet-facing Jupyter Notebooks (some but not all may be honeypots) with no authentication. Each one of these could be accessed by an attacker with nothing more than a browser, and the environment could be infected manually.

Aqua researcher Assaf Morag told SecurityWeek, “There are more than 11,000 servers with Jupyter Notebooks that are internet-facing, so you can run a brute force attack and possibly gain access to some of them – you would be surprised how easy it can be to guess these passwords.”

The sample trapped by Aqua is not a complete sample. It does not, for example, include evidence of a ransom note. “We suspect,” Morag told SecurityWeek, “that the attack either reached a timeout on the honeypot, or that the ransomware is still being tested prior to real world attacks.”

Nevertheless, the researchers believe from what they have that this is ransomware rather than a wiper weapon. “Wipers usually exfiltrate the data and wipe it or just wipe it,” continued Morag. “We haven’t seen any attempt to send the data outside the server and the data wasn’t just wiped, it was encrypted with a password (manually chosen by the attacker). This is another factor that leads us to believe that this is a ransomware attack rather than a wiper.”

He also suspects – because of a resemblance to other Python ransomware – that the attacker simply took existing code, and tweaked and adjusted it to his own needs. He does not have any information that could attribute the ransomware to any known group. However, he comments, “The first thing the attacker did to understand that he can download files from a remote source was to download a text file that contains solely the word ‘blat’. This is a naughty word in Russian and something that we have seen in the past by Russian attackers.”

There is a strong likelihood that this partial ransomware attack detected by Aqua is the forerunner of real-life attacks against Jupyter Notebooks. Since a built-in feature of the application allows the user to open a shell terminal with further access to the server, the potential for harm is considerable.

Aqua recommends that access to Jupyter Networks be properly authenticated; inbound traffic be controlled by eliminating internet access or limiting it to VPN access; use be constrained to non-privileged or limited privilege users; and outbound traffic be controlled as fully as possible.

Aqua Security provides a cloud native application protection platform (CNAPP). It was founded in 2015, and achieved unicorn status in 2021.

Related: Necro Python Botnet Starts Targeting Visual Tools DVRs

Related: Facebook Open Sources Analysis Tool for Python Code

Related: Python-Written CannibalRAT Used in Targeted Attacks

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.