Ransomware Indicators in Python Scripts

Why Target Data Science?

Data Science environments are high-value targets. They hold proprietary datasets, trained model weights (worth millions), and intellectual property.

Python-based ransomware is surprisingly simple and effective. It doesn't need complex binaries; it just needs to run in a trusted environment (like a Jupyter Server) with write access to the filesystem.

The Encryption Loop

A typical Python ransomware script follows this pattern:

Walk the filesystem: os.walk() or glob.glob().
Target specific extensions: .csv, .parquet, .pt, .ipynb.
Encrypt: Read file -> Encrypt (AES) -> Write new file -> Delete old file.

# Simplified Malicious Logic
for root, dirs, files in os.walk("/data"):
    for file in files:
        if file.endswith(".parquet"):
            encrypt_file(os.path.join(root, file))
            os.remove(os.path.join(root, file))

Detecting the Intent

Legitimate data science code reads and writes files, but it rarely encrypts and deletes them in a loop.

Veritensor scans for semantic combinations that suggest ransomware behavior:

Usage of cryptography libraries (cryptography.fernet, pycrypto) alongside file deletion (os.remove, shutil.rmtree).
Recursive file walking combined with write operations.
Hardcoded extensions often targeted by ransomware.

If you see a script iterating over your /data folder and importing encryption libraries, audit it immediately.

Why Target Data Science?​

The Encryption Loop​

Detecting the Intent​

Why Target Data Science?

The Encryption Loop

Detecting the Intent