In a new attack campaign, operators behind Venus ransomware are compromising publicly-exposed Remote Desktop (RDP) services to encrypt Windows devices.
Venus ransomware
In August 2022, the Venus ransomware started its operation and started locking victims out o their systems globally, MalwareHunterTeam revealed.
- When executed, the ransomware can terminate thirty-nine processes linked with database servers and Office applications.
- It deletes Shadow Copy Volumes, and event logs; disables Data Execution Prevention using a command.
- It appends the .venus extension, a file named test[.]jpg would be encrypted and renamed test[.]jpg[.]Venus.
More details
The ransomware calls itself Venus and shares a TOX address and email address to contact the operators.
- It creates an HTA ransom note in the %Temp% folder that is automatically shown when it has finished encrypting the device.
- The ransom note is a base64 encoded blob, which is believed to be an encrypted decryption key.
- Further, the RDP is being abused for initial access to a network, even with a non-standard port number for the service.
Conclusion
The Venus ransomware is active and new submissions are daily being uploaded to ID Ransomware. Currently, the ransomware targets Remote Desktop services, hence these services should be put behind a firewall. Additionally, no Remote Desktop services should be publicly exposed and only be accessed via VPN.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0e8a_shutterstock_1202666194.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a5c8_shutterstock_2065679765.jpeg)
