A recent report has revealed that the malicious minds behind the Venus Ransomware group are currently targeting Remote Desktop services that are publicly exposed to encrypt devices running Windows.

A relatively new threat group, Venus Ransomware is believed to have started operating in mid-August this year, with wide-ranging attacks that have seen victim’s systems encrypted in various parts of the world. However, experts have uncovered that another ransomware outfit was using an identical encrypted file extension back in 2021, but it remains unclear if the attacks are related and the gangs affiliated.

Threat analyst MalwareHunterTeam was contacted by cybersecurity firm linuxct regarding the ransomware attack. Its team were seeking further information on the assault after confirming that the threat actors involved had gained access to a specific victim’s corporate network via the Windows-based Remote Desktop protocol.

However, another victim came forward later reporting Remote Desktop protocols being used to obtain initial network access, even when they employed a non-standard port number for this dedicated service.

How does Venus Ransomware encrypt Windows devices?

Once executed, the ransomware attempts to end thirty-nine different processes that are associated with Microsoft Office applications and database servers including taskkill, sqlagent.exe, msftesql.exe, sqlbrowser.exe, sqlwriter.exe, sqlservr.exe and oracle.exe, to name but a few. Additionally, Venus ransomware will delete any event logs, disable Data Execution Prevention and Shadow Copy Volumes.

When encrypting data files, the crypto malware will also append the .venus extension, renaming it.
For each file encrypted, the ransomware adds a file marker labelled ‘goodgamer’ along with other information at the end of the data file. At present, it is not clear what the purpose of this additional information is.

A demand for payment

The ransomware also creates an HTA-type ransom note within the %Temp% folder. As a result, the note is displayed automatically once the ransomware has finished encrypting the user’s device. In the note, the attack group refers to itself as Venus and shares both an email address and a TOX address that the victim can use to get in touch and enter negotiations regarding the ransomware payment.

The latest ransomware attacks typically use double extortion tactics. Before encrypting sensitive data files and operating systems, attack groups exfiltrate confidential information and use it as leverage to coerce companies into making a payment. In some cases, ransomware gangs will provide a sample of the data they steal on dedicated leak sites. The sample acts as evidence that their claims of theft are legitimate.

If a victim refuses to pay the ransom, the gang will threaten to expose the stolen data. This may happen on their leak site, or in some instances, the confidential information will be uploaded to hacker forums on the Dark Web and auctioned off to the highest bidder.

At present, Venus Ransomware has active status, with new submissions being uploaded daily to ID Ransomware. Enterprises are advised that no Remote Desktop Services employed should ever be publicly exposed online and must only remain accessible through a VPN.