Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws
Summary:
On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network. Earlier iterations of the malware were documented by ReliaQuest in February 2024. The latest version of the backdoor demonstrated several enhancements, including the use of PyObfuscate[.]com for obfuscation, deployment through Remote Desktop Protocol lateral movement, and unique indicators of compromise such as filenames, scheduled task names, and command-and-control addresses. GuidePoint identified 18 C2 IPs associated with this backdoor, which will be shared via the GitHub feed "Ransomhub Python C2."
The initial access was linked to SocGholish (FakeUpdate) infections, with the Python backdoor deployed approximately 20 minutes after infection. The threat actor subsequently spread the backdoor during lateral movement via RDP sessions. Installation involved moving to a target directory, installing Python and necessary libraries, setting up a proxy script, and establishing persistence through scheduled tasks. This process was consistent across both the initially infected systems and those impacted through lateral movement.
Functionally, the Python script acts as a reverse proxy, creating a SOCKS5-like tunnel for lateral movement within the compromised network. It establishes a connection to a hardcoded C2 IP address and proxies traffic through a TCP tunnel. The script’s code is polished and includes extensive error handling, indicative of AI-assisted development. Obfuscation methods have evolved since the malware’s first appearance on VirusTotal in December 2023, with the latest variant observed in September 2024. These updates focused on evasion techniques while maintaining core functionality.
Security Officer Comments:
GuidePoint’s analysis revealed detailed C2 behavior, including creating a TCP connection to a hardcoded IP address, utilizing two non-null bytes from the initial connection to establish a subsequent connection, and forming a SOCKS5-like tunnel for proxied traffic. Despite incomplete protocol implementation, the malware demonstrated significant sophistication in its logging and error handling. This incident underscores how ransomware affiliates continue to use advanced Python-based backdoors for persistence and detection evasion. The polished coding and AI-assisted features highlight evolving tactics in malware development.
Suggested Corrections:
IOCs:
https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
https://thehackernews.com/2025/01/python-based-malware-powers-ransomhub.html
On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network. Earlier iterations of the malware were documented by ReliaQuest in February 2024. The latest version of the backdoor demonstrated several enhancements, including the use of PyObfuscate[.]com for obfuscation, deployment through Remote Desktop Protocol lateral movement, and unique indicators of compromise such as filenames, scheduled task names, and command-and-control addresses. GuidePoint identified 18 C2 IPs associated with this backdoor, which will be shared via the GitHub feed "Ransomhub Python C2."
The initial access was linked to SocGholish (FakeUpdate) infections, with the Python backdoor deployed approximately 20 minutes after infection. The threat actor subsequently spread the backdoor during lateral movement via RDP sessions. Installation involved moving to a target directory, installing Python and necessary libraries, setting up a proxy script, and establishing persistence through scheduled tasks. This process was consistent across both the initially infected systems and those impacted through lateral movement.
Functionally, the Python script acts as a reverse proxy, creating a SOCKS5-like tunnel for lateral movement within the compromised network. It establishes a connection to a hardcoded C2 IP address and proxies traffic through a TCP tunnel. The script’s code is polished and includes extensive error handling, indicative of AI-assisted development. Obfuscation methods have evolved since the malware’s first appearance on VirusTotal in December 2023, with the latest variant observed in September 2024. These updates focused on evasion techniques while maintaining core functionality.
Security Officer Comments:
GuidePoint’s analysis revealed detailed C2 behavior, including creating a TCP connection to a hardcoded IP address, utilizing two non-null bytes from the initial connection to establish a subsequent connection, and forming a SOCKS5-like tunnel for proxied traffic. Despite incomplete protocol implementation, the malware demonstrated significant sophistication in its logging and error handling. This incident underscores how ransomware affiliates continue to use advanced Python-based backdoors for persistence and detection evasion. The polished coding and AI-assisted features highlight evolving tactics in malware development.
Suggested Corrections:
IOCs:
https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
https://thehackernews.com/2025/01/python-based-malware-powers-ransomhub.html