Hackread reports that online integrated development environment and web hosting service PythonAnywhere has been leveraged to facilitate the stealthy distribution of the new Razr ransomware strain.
Operations of Razr ransomware commence with unique machine ID, encryption key, and Initialization Vector generation, which are later delivered in unencrypted JSON format to a command-and-control server, while having the malicious file hosted within PythonAnywhere's xmb[.]pythonanywherecom subdomain to bypass detection, a report from ANY.RUN researchers revealed. Researchers also found that the malicious payload's utilization of sophisticated AES-256 encryption in Cipher Block Chaining mode for robust file encryption. Attackers also provided a ransom note ordering victims to visit a Tor domain to pay the demanded ransom. Additional analysis of Razr ransomware showed the execution of public analysis sessions within the PythonAnywhere subdomain, with researchers discovering the presence of various Discord-linking webhooks.
