A relatively new ransomware group is found hitting the publicly exposed remote desktop connections – even on through the non-standard ports.
Named Venus Ransomware, the group terminates a number of legitimate Windows processes before encrypting the target system and even deletes the event logs and shadow copies to prevent data recovery.
Venus Ransomware Modus Operandi
As noted by a security analyst and later by BleepingComputer, a new ransomware named Venus group – which started its operations in August 2022 – has been targeting publicly exposed remote desktop systems.
@malwrhunterteam Hey, do you have any details about 'Venus' ransomware (not VenusLocker, extension is .venus instead of .venusf). Infection happened via RDP. Can give more details in DM if wanted.
— linuxct (@linuxct) October 6, 2022
Starting off, the Venus ransomware will try to terminate the below 39 processes – associated with database servers and Microsoft Office applications – before proceeding to encrypt the victim’s system data.
taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe
Further, the ransomware will also delete the event logs, Shadow Copy Volumes, and disable the Data Execution Prevention to avoid the victim from retrieving any data without using their decryption key. After all these, the gang will proceed to encrypt the files and append the .venus extension to all the encrypted files.
Researchers have discovered that all the encrypted files have a file marker as ‘goodgamer‘, and other information at the end of the file, which is of unclear purpose. Well, they do create an HTA ransom note in the %Temp% folder to be automatically displayed when the encrypting process is done.
The ransomware mentions its TOX address and email address for the victims to be contacted and talk about the ransom. Researchers warned the system admins having their remote desktop connections opened should hide them behind a firewall, as it’s hitting the non-standard TCP ports too.
Also, having such systems access d via a VPN is highly recommended if they’re supposed to be exposed to the public. Securing them is the best way to avoid being cyber-attacked, say experts.