Venus ransomware targets publicly exposed Remote Desktop services to encrypt Windows devices, abusing insecure RDP access to spread. Infections result in files ending with the .venus extension and a ransom note demanding payment. #VenusRansomware #RemoteDesktop
Keypoints
- Venus ransomware targets publicly exposed Remote Desktop Protocol (RDP) to break in and encrypt Windows devices.
- The campaigns have been active since at least August 2022 and have gained visibility recently.
- Attacks typically gain access via RDP, with RDP left running and often password-protected.
- Encrypted files end with the .venus extension and may include extra markers inside files.
- Victims have reported home networks being affected, external drives compromised, and a PC being used as a server.
- Mitigations include enabling MFA for RDP, limiting login attempts where possible, and routing RDP through a VPN, especially on Windows 11.
MITRE Techniques
- [T1021.001] Remote Desktop Protocol – Break into the network via insecure access. “Break into the network via insecure access, stop processes and services according to the whims of the ransomware authors, and then encrypt the desired files.”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends a .venus extension; “We downloaded and encrypted your data. Only we can decrypt your data.”
Indicators of Compromise
- [File Extension] .venus – end-of-file extension used after encryption; examples: document.docx.venus, report.xlsx.venus
- [Exposed Service] Publicly exposed Remote Desktop services – RDP left accessible on the internet as noted in the article
Read more: https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services