RansomHub Ransomware Exploits Network Vulnerabilities via Python-Based Malware

January 16, 2025

GuidePoint Security's cybersecurity researchers have unearthed a cyberattack that involves a threat actor using a Python-based backdoor to maintain persistent entry to compromised systems, which is then used to deploy the RansomHub ransomware throughout the victim's network.

Initial access was reportedly granted via a JavaScript malware, SocGholish (aka FakeUpdates), which is commonly distributed through drive-by campaigns that fool users into downloading fake browser updates. The malware is often spread by infected websites that victims are redirected to from search engine results, thanks to black hat SEO techniques.

The Python backdoor was discovered to be dropped about 20 minutes after the initial infection via SocGholish. The threat actor then used this backdoor to infiltrate other machines within the same network during lateral movement via RDP sessions. According to security researcher Andrew Nelson, "Functionally, the script is a reverse proxy that connects to a hard-coded IP address. Once the script has passed the initial command-and-control (C2) handshake, it establishes a tunnel that is heavily based on the SOCKS5 protocol. This tunnel allows the threat actor to move laterally in the compromised network using the victim system as a proxy."

This Python script, an earlier version of which was documented by ReliaQuest in February 2024, has been detected in the wild since early December 2023. It has undergone surface-level changes aimed at improving the obfuscation methods used to avoid detection.

Additionally, ransomware campaigns have been observed targeting Amazon S3 buckets by leveraging Amazon Web Services' Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. This activity has been attributed to a threat actor dubbed Codefinger.

Meanwhile, SlashNext reported a surge in rapid-fire phishing campaigns mimicking the Black Basta ransomware crew's email bombing technique to overwhelm victims' inboxes with over 1,100 legitimate messages related to newsletters or payment notices. The attackers then pose as company tech support, persuading users to install remote-access software like TeamViewer or AnyDesk. Once that software is installed, attackers can infiltrate the network and access sensitive data.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.