Since August 2022, the Venus ransomware has been compromising Remote Desktop (RDP) Services.
The main targets of the malware are unprotected Windows devices with publicly available RDP.
Successful Venus ransomware has been locking users out of essential files and requesting payment in crypto.
What should every organization know about the Venus ransomware, and what are some of the top cybersecurity practices to prevent and fight this type of malware?
Before we take the precautionary steps and the best practices for those already impacted, let’s determine the signs of the latest ransomware.
Venus ransomware encrypts files, renames them, and notifies victims with a note on the screen.
The victims know they’ve been impacted when the note with terms and demands appears on their screen. After locking users out of the files, the threat actor notifies the user with a README.txt file and a desktop wallpaper.
The message on the screen confirms that malicious activity has taken place and displays instructions on how to get the files back and pay the ransom. In this case, the user is supposed to contact the criminal for further instructions within five days.
The hackers communicate that all the victim’s files have been encrypted and will leak obtained information to the public if the demands are unmet.
Another evident clue that the Venus Ransomware has impacted files is the filename extension. Locked files that can’t be opened have an additional ” venus ” suffix.”
Any global Windows device with publicly available Remote Desktop components is susceptible to Venus ransomware. RDP is the access point that is exploited in the attack.
In the case of a successful breach, the database of the servers and Office apps are affected as the cybercriminal obtains control over the processes.
Some of the hackers’ capabilities following the successful attack include erasing event logs and not allowing Data Execution Prevention to occur.
On infected devices, the ransomware encrypts data, generates ransom notes (most likely also encrypted description keys), and changes the wallpaper to display another (primarily identical) ransom message.
In most cases, it’s challenging to decrypt the files and reverse engineer the ransomware unless the malware has a specific error. Even by removing the malware, already infected files will not be decrypted.
Therefore, it’s essential to set preventive measures to guard assets against cyber ransom exploits.
How can one prepare for the very real possibility of Venus ransomware?
The critical weakness that enables Venus ransomware is publicly-exposed Remote Desktop Services. Therefore, the best cybersecurity measures include using a Virtual Private Network (VPN) when accessing Remote Desktop Services.
Ensure that RDP isn’t available to the public and protect such services with a firewall.
According to the latest data, this ransomware has been possible via phishing campaigns over email, torrent websites, and ads riddled with malware.
Hackers send the infected attachment over the email or plant the malicious code on ads on the internet.
Knowing and understanding these distribution methods is essential in Venus ransomware prevention. More sophisticated email filters and blocking access to sites such as torrent pages and adware is a great start.
Some tools are specifically designed to detect the signs of malware (e.g., encryption).
Besides such protective software, it’s necessary to guard the infrastructure with layered security that consists of various programs and protocols.
That is, cybersecurity has to be solid and comprehensive — covering all devices connecting to the remote network and blocking any pathway that hackers might try and exploit for monetary gain.
In addition to these cybersecurity measures, it’s essential to back up the data in separate servers that can’t be accessed remotely. This enables your teams to keep up with their daily tasks even if part of the network is compromised and can’t be accessed.
What should you do if the threat actors have already demanded a ransom? Is there a way to unlock the files, and is it a good idea to pay up?
Under pressure, many organizations consider and often do pay the ransom.
For instance, the Venus ransom is accompanied by a note urging the victim not to contact third-party aid that might try and decrypt files. Or else, they’ll lose the files forever, even if the ransom is paid.
However, paying is not a solution as that act confirms to the threat actors that the attack has been successful, and there is no guarantee that they’ll keep their end of the deal.
The simple truth in the eyes of the law is that you’re funding further criminal activity.
Although paying seems less costly than rebuilding the infrastructure from scratch, there is no guarantee that criminals won’t leak the data anyway or not lend you the key for file encryption.
Moreover, it’s illegal to pay the ransom — report the criminal activity instead.
Contacting and communicating with the criminal organization is not advised either.
Although the Venus ransomware has been active since August 2022, many organizations and individuals can still be susceptible to the threat and not have the proper tools to aid detection and mitigation.
The malware is a reminder of how difficult it is to weed out ransomware.
Over the last couple of years, this kind of exploit has increased. Besides the increased ransomware attacks, it has evolved into more sophisticated variants.
New versions can do even more than encrypt the files — they can lock the user out of the system, download data from affected files, delete data, cease various functions using remote commands, and more.
Proper anti-ransomware protection and robust cybersecurity architecture are essential for any business that wants to avoid dangerous and costly ransom notes.