Publicly exposed Remote Desktop services are being abused to deploy new ransomware onto target endpoints, researchers are saying.
A cybersecurity researcher going by the name linuxct recently reached out to MalwareHunterTeam to try and learn more about a ransomware strain they discovered called Venus.
The team later found that the ransomware operators had been active since mid-August 2022, targeting victims across the world by gaining access to a corporate network through the Windows Remote Desktop protocol, even when an organization uses an unusual port number for the service.
Hiding behind a firewall
The best way to protect against such attacks, researchers concluded, is to put these services behind a firewall. What’s more, Remote Desktop Services shouldn’t be publicly exposed, and would ideally be accessible only through a Virtual Private Network (VPN).
As for Venus ransomware, the modus operandi is nothing out of the ordinary for this type of malware. Once network mapping, endpoint identification, and other reconnaissance work is done, the malware will kill 39 processes used by database servers and Office applications. Event logs and shadow copy volumes would get deleted, Data Execution Prevention would get disabled, and all files would be encrypted to carry the .venus extension.
Finally, the ransomware would create a ransom note, demanding payment in cryptocurrencies in exchange for the decryption key. Venus would usually demand payment in bitcoin, and the latest information points to the group demanding 0.02 BTC, or approximately $380, for the decryption key.
The end of the ransom note holds a base64 encoded blob, which researchers believe is most likely the encrypted decryption key, and new submissions are being uploaded to ID Ransomware daily,
Last year, there was another ransomware strain using the same encrypted file extension, but researchers are not sure if it’s the same ransomware variant or not.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba