Threat actors can encrypt Windows PCs by breaking into publicly available Remote Desktop services using the relatively new Venus Ransomware. Venus Ransomware has since encrypted victims all across the world and looks to have started functioning around the middle of August 2022. Although it is unknown if they are connected, another ransomware has employed the same encrypted file extension since 2021.
MalwareHunterTeam, approached by security analyst linuxct seeking information on it, was the first to inform about the ransomware. According to Linuxct, the threat actors used the Windows Remote Desktop Protocol to reach a victim’s corporate network. Even while employing a non-standard port number for the service, another victim stated that RDP was used for first access to their network.
When activated, the Venus ransomware would make an effort to kill 39 processes linked to Microsoft Office and database servers. The ransomware uses the following command to erase event logs, deactivate Data Execution Prevention, and destroy Shadow Copy Volumes:
wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
The ransomware will add the .venus extension to encrypted files, as seen below. For instance, test.jpg would be renamed test.jpg.Venus after being encrypted. The ransomware will append a “goodgamer” filemarker and other data to the end of each encrypted file. At this point, it is unknown what this further data entails.
When the device has been fully encrypted, the ransomware will produce an HTA ransom notice in the %Temp% folder, which will be automatically displayed. This ransomware, which goes by the name “Venus,” has shared a TOX address and email address that may be used to get in touch with the attacker and discuss a ransom payment, as you can see below. A base64 encoded blob, which is probably the encrypted decryption key, can be found at the conclusion of the ransom message.
The Venus ransomware is now comparatively active, with new submissions being published to ID Ransomware regularly. It is essential to hide these services behind a firewall because the ransomware appears to be targeting publicly accessible Remote Desktop services, even those using irregular TCP ports. Ideally, no Remote Desktop Services should be openly accessible on the Internet and should only be reachable over a VPN.
