HC3: Analyst Note: Venus Ransomware Targets Publicly Exposed Remote Desktop Services
November 9, 2022 TLP: Clear Report: 202211091400
HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The threat actors behind Venus ransomware operations are known to target publicly exposed Remote Desktop Services to encrypt Windows devices. This report provides additional information, indicators of compromise, techniques and corresponding mitigations associated with Venus ransomware.
Venus ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. When executed, the Venus ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall. The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. Ineach encrypted file, a ‘goodgamer’ filemarker and other information are added to the end of the file.
The Venus ransomware variant, also known as GOODGAME, should not be confused with VenusLocker which uses the ‘.venusf’ file extension during encryption. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time. Despite this, the ransomware uses a wide variety of contact email addresses and TOX IDs, indicating it is likely that multiple threat actors are distributing the ransomware. Open source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the
wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.
Download the full report on HC3.