Venus Ransomware is a malware that started its operation in August 2022, which was reported on by the researchers at MalwareHunterTeam. On October 16th, 2022 BleepingComputer released a report detailing the techniques observed by the Venus Ransomware variant. The actors utilizing the ransomware variant are abusing publicly-exposed Remote Desktop services to carry out their encryption, appending the “.venus” extension to files that were encrypted on compromised hosts. Victims have been observed around the world, however specific countries or organizations have not been explicitly identified as of yet. Venus Ransomware is understood as active, with new samples being seen submitted on a daily basis to the ID Ransomware website run by the MalwareHunterTeam – thus the variant poses a significant and present risk that should be ascertained and prepared for, especially if your environment has publicly facing RDP services.
Threat Synopsis – Venus Ransomware
Venus Ransomware, was observed and examined by MalwareTeamHunter researchers in October of 2022, abusing public facing Remote Desktop services on victim machines to gain initial access. The variant utilizes TTPs that are not unconventional, but are still operative and have been observed to be active as of late by researchers. At its outset, the variant targets and exploits Windows Remote Desktop protocol services that are exposed publicly – even abusing non-standard port numbers that are not standard.
After initial access is achieved and the variant is executed, the malware will attempt to kill “39 processes that are associated with database servers and Microsoft Office applications…” to allow the encryption of files without any connected processes that might impede on the action. In addition, it will attempt to hinder system recovery by deleting shadow copies, event logging, and disabling of Data Execution Prevention. Thereafter, the malware will encrypt files and append the “.venus” extension to the afflicted files. It was also noted that the variant will add a “goodgamer” file marker at the end of the encrypted files. An HTA ransom note will be then spawned in the %Temp% folder and displayed upon completion of the encryption process.