Ransomware Attack Involves Python-Based Backdoor and RansomHub Ransomware

By Ravie Lakshmanan, January 16, 2025

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network.

Initial Access Facilitated by JavaScript Malware

According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named SOCgholish malware, which exploits the Boinc mining protocol.

"Threat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects," Halcyon said. "By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation."

Rapid-Fire Phishing Campaigns Mimicking Black Basta Ransomware Crew

The development comes as SlashNext said it has witnessed a surge in "rapid-fire" phishing campaigns mimicking the Black Basta ransomware crew’s email bombing technique to flood victims’ inboxes with over 1,100 legitimate messages related to newsletters or payment notices.

"Then, when people feel overwhelmed, the attackers swoop in via phone calls or Microsoft Teams messages, posing as company tech support with a simple fix," the company said.

"They speak with confidence to gain trust, directing users to install remote-access software like TeamViewer or AnyDesk. Once that software is on a device, attackers slip in quietly. From there, they can spread harmful programs or sneak into other areas of the network, clearing a path straight to sensitive data."

Follow The Hacker News on Twitter and LinkedIn

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.