Venus ransomware target publicly-exposed Remote Desktop services

November 2, 2022 - TuxCare PR Team

A relatively new ransomware operation, identified as Venus is hacking into publicly exposed Remote Desktop services to encrypt Windows devices. According to researchers, Venus ransomware started operating in mid or August 2022 and has since encrypted victims all over the world.

Venus ransomware is basically a malicious malware that interfere with essential computer settings with the main objective of encrypting valuable files. Venus encryption to store access to the data organizations. To make them recognizable, the ransomware appends an extension of the same name to their original name.

The spread of Venus ransomware could be realized via techniques such as email fraud campaigns, software cracks, fake software update notifications, freeware with compromised installers and malicious web links. All the methods listed have a single goal, which include tricking people into downloading malicious software on their PCs, while they think that they have installed the original content.

As soon as it is executed, the ransomware tries to terminate thirty-nine processes that are connected to database servers and Microsoft applications. The ransomware then continues to delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention through an identified command.

When encrypting files, the ransomware appends the .venus extension. In each encrypted file, the ransomware will add a ‘goodgamer’ filemarker and other information to the end of the file. However, it remains unclear what this stands for.

The ransomware creates an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is ready to encrypt the device.

Analyzing the ransom note seen, the ransomware calls itself “Venus” and shared a TOX address and email address that can be used to reach the threat actor to negotiate a ransom payment. At the end of the ransom note is a Base64 encoded blob, which is likely the encrypted decryption key.

In order to remove the ransomware on servers, organizations are recommended to follow given steps. The first step is to boot the PC in safe mode to isolate and remove the Venus Virus. The second step is to uninstall Venus Virus and related software from Windows. The third step is to clean any registries created by the virus on their computer. The fourth step involves scanning for Venus Virus with SpyHunter anti-malware tool, Step 5 involves efforts to restore tiles encrypted by Venus virus.

The sources for this piece include an article in BleepingComputer.

Summary