Researchers say that publicly available remote desktop services are being used to deploy new ransomware on targeted endpoints.
Cybersecurity researcher linuxct recently contacted MalwareHunterTeam to learn more about the discovered Venus ransomware.
Later, the team found that ransomware operators had been active since mid-August 2022, targeting victims worldwide by accessing the corporate network via the Windows Remote Desktop protocol, even if the organization uses an unusual port number for the service.
Hiding behind a firewall
Researchers concluded that the best way to protect against such attacks is to place these services behind a firewall. Furthermore, Remote Desktop Services should not be publicly accessible, and ideally should only be accessible via a virtual private network (VPN).
When it comes to Venus ransomware, the way it works is not unusual for this type of malware. Once network mapping, endpoint identification, and other reconnaissance is complete, the malware will kill 39 processes used by database servers and Office applications. Event logs and shadow copy volumes would be deleted, Data Execution Prevention would be disabled, and all files would be encrypted with a .venus extension.
Finally, the ransomware creates a ransom note demanding payment in cryptocurrencies in exchange for a decryption key. Venus usually requests payment in bitcoins, and the latest information shows that the group is asking for 0.02 BTC, or about $380, for the decryption key.
At the end of the ransom note is a base64 encoded blob which researchers believe is most likely an encrypted decryption key, and new ID Ransomware submissions are submitted daily,
Another ransomware strain using the same encrypted file extension surfaced last year, but researchers aren’t sure if it’s the same ransomware variant or not.
By: Beeping Computer (opens in a new tab)