According to recent research by Checkmarx and Phylum, an ongoing ransomware campaign targets well-known open source packages that regularly see close to 15 million installations every week and conceals its payload in an unusual method.
The campaign, which includes embedded malware, targets the well-known “requests” package on Pypi and the “discord.js” package on NPM, according to a blog post by Checkmarx researchers. When the ransomware is run, it encrypts the victim’s computer data and demands $100 in cryptocurrency to decrypt them.
Security researcher at Checkmarx Alik Koldobsky told SC Media that the payload is hidden in several key locations and only executes when the victims use the actual functions of the packages, unlike most open source attacks where malicious packages are run immediately after installation. This makes the campaign difficult to detect by many security scanners.
Because the malware payload is compatible with several different operating systems, the campaign can target a larger population. The ransomware communications and infrastructure were also given the U.S. Central Intelligence Agency names by the perpetrators.
Although a complete attribution has not yet been made, researchers have found evidence that suggests the attacker is Russian: the Telegram user account linked to the attack has a Russian phone number, and the attacker directly communicates with researchers in Russian.
The perpetrator’s account is still able to distribute potentially dangerous packages on NPM and PyPi, where software supply chain assaults are common, even after Checkmarx reported the attacks. According to researchers, they will keep an eye out for any new activity. Koldobsky foresaw additional attacks by the same actors as well as imitations due to the method’s simplicity and effectiveness.
In addition to the campaign’s unusual method of concealing its payload, Mike Parkin, senior technical engineer at Vulcan Cyber, noted that ransomware attackers occasionally employ open source as a delivery channel. Sonatype detected several dangerous Python packages with ransomware included in August.
In the next months, ransomware attacks targeting open source software are expected to increase, according to Kristen Bell, director of application security at GuidePoint Security.