ClickCease Venus ransomware target remote desktop services

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Venus ransomware target publicly-exposed Remote Desktop services

Obanla Opeyemi

November 2, 2022 - TuxCare expert team

A relatively new ransomware operation, identified as Venus is hacking into publicly exposed Remote Desktop services to encrypt Windows devices. According to researchers, Venus ransomware started operating in mid or August 2022 and has since encrypted victims all over the world.

Venus ransomware is basically a malicious malware that interfere with essential computer settings with the main objective of encrypting valuable files. Venus encryption to store access to the data organizations. To make them recognizable, the ransomware appends an extension of the same name to their original name.

The spread of Venus ransomware could be realized via techniques such as email fraud campaigns, software cracks, fake software update notifications, freeware with compromised installers and malicious web links. All the methods listed have a single goal, which include tricking people into downloading malicious software on their PCs, while they think that they have installed the original content.

As soon as it is executed, the ransomware tries to terminate thirty-nine processes that are connected to database servers and Microsoft applications. The ransomware then continues to delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention through an identified command.

When encrypting files, the ransomware appends the .venus extension. In each encrypted file, the ransomware will add a ‘goodgamer’ filemarker and other information to the end of the file. However, it remains unclear what this stands for.

The ransomware creates an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is ready to encrypt the device.

Analyzing the ransom note seen, the ransomware calls itself “Venus” and shared a TOX address and email address that can be used to reach the threat actor to negotiate a ransom payment. At the end of the ransom note is a Base64 encoded blob, which is likely the encrypted decryption key.

In order to remove the ransomware on servers, organizations are recommended to follow given steps. The first step is to boot the PC in safe mode to isolate and remove the Venus Virus. The second step is to uninstall Venus Virus and related software from Windows. The third step is to clean any registries created by the virus on their computer. The fourth step involves scanning for Venus Virus with SpyHunter anti-malware tool, Step 5 involves efforts to restore tiles encrypted by Venus virus.

The sources for this piece include an article in BleepingComputer.

Summary
Venus ransomware target publicly-exposed Remote Desktop services
Article Name
Venus ransomware target publicly-exposed Remote Desktop services
Description
A relatively new ransomware operation, identified as Venus is hacking into publicly exposed Remote Desktop services to encrypt Windows devices.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023