Three malicious packages (requesys, requesrs and requesr) were found in the PyPI repository at once, engaged in typesquatting and faking the popular Requests package. All three packages were ransomware and, as it turned out, were created by a bored schoolboy.
Sonatype experts who discovered the malware say that anyone who mistakenly downloads and uses these packages in their projects falls victim to a rather strange ransomware malware.
So, all versions of the requesys package (it was downloaded about 258 times) contained scripts that first viewed folders such as Documents, Downloads and Pictures in Windows, and then started encrypting files.
At the same time, versions 1.0-1.4 contained the encryption and decryption code presented in clear text, and version 1.5 already demonstrated an obfuscated base64 executable file, which made the analysis a little more difficult.
The malware used the Fernet module from the cryptographic library for symmetric key encryption. Fernet was also used to generate a random encryption key, which was later used by the victim to decrypt the data.
Interestingly, one funny feature was found in the code: the malicious script was only run if the username of the Windows PC was different from “GIAMI”. Obviously, this is the username of the malware author himself.
If everything went well and the ransomware ran on the victim’s system, the affected user saw a pop-up message with further instructions: they were asked to contact the author of the b8ff package, also known as OHR (Only Hope Remains), via the Discord server.
The researchers say that anyone could get into the hacker’s Discord server. There, they discovered the “#ransomware-notifications” channel, which contained a list of usernames for 15 victims who installed and ran a malicious package from PyPI. The automatically generated messages also showed decryption keys that victims could and use to decrypt your files locked by requesys.
As already mentioned, version 1.5 was slightly more complex, obfuscated, and shipped as a 64-bit Windows executable. But in general, this EXE acted the same as the malware of previous versions, that is, it generated an encryption / decryption key, uploaded a copy of the key to the author’s Discord, encrypted files, and encouraged victims to go into the data rescue channel.
Analysts say that they managed to identify the author of this simple malware without much difficulty: OHR (Only Hope Remains) or b8ff published the exploit code on GitHub (with a note that the author is not responsible in case of misuse) and, without hiding, used the same nickname in PyPI, Discord, GitHub and other sites. It turns out that OHR even has a YouTube channel with some pretty innocuous hacking tutorials (now removed).
However, the Typesquatter packages did not include any disclaimer, meaning in their case there was no claim or notice that the packages were published as part of ethical research, and OHR was not trying to keep people from infecting their PCs. On the contrary, the packages launched malicious scripts immediately after installation.
As a result, the researchers decided to contact the author of the ransomware and find out about his motives. B8ff easily reached out and informed Sonatype that the ransomware script in these packages was “completely open source” and was part of a project that was being created “for fun”. Despite the fact that the packages did encrypt user data, the author stated that they are technically harmless.
“Technically, it’s ransomware without ransom,” b8ff said, referring to the fact that it doesn’t require money after encryption. “All decryption keys are [sent] to the #ransomware-notifications channel on my Discord server.”
B8ff told the experts that he is from Italy and described himself as a schoolboy who is just learning to develop and has only recently become interested in exploits and the ease of creating them.
“I I was surprised when I realized how easy it is to create such an exploit and how interesting it is. I’m still at school and at the moment I know Python, Lua, HTML, a little CPP and that’s it, ”admits b8ff.
Experts have already notified PyPI of their discovery, but have not yet received a response. However, after speaking with experts, b8ff himself helped prevent further attacks and renamed the requesys package so that developers who misspelled requests in the name would not accidentally download ransomware. The other two packages have been completely removed from PyPI (although it is not clear whether the author himself voluntarily or the PyPI administrators).