On Nov. 9 the Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note on Venus ransomware that targets publicly exposed remote desktop services.
The note states that “HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The threat actors behind Venus ransomware operations are known to target publicly exposed Remote Desktop Services to encrypt Windows devices. This report provides additional information, indicators of compromise, techniques and corresponding mitigations associated with Venus ransomware.”
Venus ransomware, according to the note, began operating in mid-August of 2022 and has encrypted victims on a global scale. Venus ransomware, when executed, will try to terminate 39 processes associated with database servers and Microsoft Office applications. “As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall,” the release adds. “The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a ‘goodgamer’ filemarker and other information are added to the end of the file.”
The note suggests mitigations such as implementing a recovery plan, implementing network segmentation, and regularly backing up data.
An analyst’s comment was included in the note, saying that “The Venus ransomware variant, also known as GOODGAME, should not be confused with VenusLocker which uses the ‘.venusf’ file extension during encryption. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time. Despite this, the ransomware uses a wide variety of contact email addresses and TOX IDs, indicating it is likely that multiple threat actors are distributing the ransomware. Open source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.”