Jump to content
  • Venus Ransomware targets publicly exposed Remote Desktop services

    alf9872000

    • 451 views
    • 3 minutes
     Share


    • 451 views
    • 3 minutes

    Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

     

    Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

     

    BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

     

    Linuxct told BleepingComputer that the threat actors gained access to a victim's corporate network through the Windows Remote Desktop protocol.

     

    Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.

    How Venus encrypts Windows devices

    When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

    taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

    The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:

    wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

    When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg. Venus.

     

    venus-encrypted-files.jpg

    Files encrypted by the Venus Ransomware - Source: BleepingComputer

     

    In each encrypted file, the ransomware will add a 'goodgamer' filemarker and other information to the end of the file. It is unclear what this additional information is at this time.

     

    file-marker.jpg
    Goodgamer file marker in an encrypted file - Source: BleepingComputer
     

    The ransomware will create an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is finished encrypting the device.

     

    As you can see below, this ransomware calls itself "Venus" and shares a TOX address and email address that can be used to contact the attacker to negotiate a ransom payment. At the end of the ransom note is a base64 encoded blob, which is likely the encrypted decryption key.

     

    ransom-note.jpg

    Venus Ransomware ransom note - Source: BleepingComputer

     

    At this time, the Venus ransomware is fairly active, with new submissions uploaded to ID Ransomware daily.

     

    As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall.

     

    Ideally, no Remote Desktop Services should be publicly exposed on the Internet and only be accessible via a VPN.

     

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...