Venus ransomware, also known as Goodgame, operates as a standalone legacy package with links to Zeoticus and has been encrypting files globally since August 2022. It relies on publicly exposed RDP and common attack techniques rather than sophisticated malware, and while it lacks a public data leak site, it shares code similarities with Zeoticus and is linked to operators who advise contacting via email/TOX. #VenusRansomware #Zeoticus
Keypoints
- Venus is a standalone “legacy ransomware” package (not a RaaS) sold on underground markets with a decryptor included, and it lacks a public data leak site.
- There are markers suggesting a genealogy with Zeoticus, including similar command patterns (e.g., ping usage) and persistence/housekeeping behaviors.
- Initial access is commonly via publicly exposed and vulnerable RDP services, often found through scanning tools or access brokers.
- On execution, Venus elevates via UAC, spawns a child process, delays with ping, and deletes its first-stage binary while hiding the console window.
- It terminates a hardcoded list of processes, achieves persistence via registry Run Keys, encrypts files with a .venus extension, and shows a ransom note (HTA) and changed wallpaper/iconography.
- Venus performs local discovery (machine name/OS), traverses network shares (NetShareEnum/wNetOpenEnum), and may use WMI to query system services.
- Connections to Zeoticus include shared markers (e.g., g g g o n e123) and similar persistence/defense-evasion patterns, with both families offering standalone packages and not leaking data publicly.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – On launch the malware uses a child process and executes commands via the Windows shell. ‘vdsldr.exe -Embedding cmd.exe (wbadmin.exe) delete shadows /all /quiet && …’
- [T1005] Data from Local System – During execution the malware performs basic local discovery such as finding the machine name and OS. ‘During the course of execution, the malware attempts basic local discovery such as finding the machine name and OS.’
- [T1012] Query Registry – Persistence is achieved by adding an entry for the ransomware payload in the registry (Windows run key). ‘Write Value HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun352.exe’
- [T1018] Remote System Discovery – Initial access is reportedly via publicly-exposed and vulnerable RDP services. ‘Initial access is reportedly publicly-exposed and vulnerable RDP (Remote Desktop Protocol) services.’
- [T1070.004] Indicator Removal: File Deletion – The malware deletes its own first-stage binary as part of its cleanup. ‘delay before deleting its own first-stage binary’ and ‘del C:Users[user]Desktopfile.exe’
- [T1082] System Information Discovery – The malware gathers system information as part of its discovery. ‘basic local discovery such as finding the machine name and OS.’
- [T1112] Modify Registry – The ransomware modifies registry entries (e.g., wallpaper). ‘registry modification to change the wallpaper.’
- [T1120] Peripheral Device Discovery – It traverses network shares via NetShareEnum and wNetOpenEnum. ‘traverses available network shares via NetShareEnum and wNetOpenEnum.’
- [T1202] Indirect Command Execution – The malware uses command-line syntax to perform housekeeping tasks and control flow. ‘the following commands are commonly used across Venus variants…’
- [T1486] Data Encrypted for Impact – Encrypted files are marked by a .venus extension. ‘Once encrypted, affected files will be appended with the .venus extension.’
- [T1490] Inhibit System Recovery – The malware includes commands to disable system recovery and backup features. ‘Inhibit System Recovery: …’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry Run Keys for persistence. ‘Write Value HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun352.exe’
- [T1564.003] Hide Artifacts: Hidden Window – The malware hides artifacts (console window). ‘hiding the console window from victims.’
Indicators of Compromise
- [SHA1] file hashes – 026ce3bceb3a82452f0fc38c0b9abfa90f2c9d87, 06757be6174bdc9ef8fe899bcbe5e6e5547dc059, and 2 more hashes
- [SHA256] file hashes – 04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e, 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028, and 2 more hashes
- [File Extension] encrypted files use .venus and ransom notes use .HTA – example: 16773516481972502376.jpg (file name), etc.
- [File Name] example file names – 16773516481972502376.jpg, 34004731821972527219.jpg, and 2 more file names
- [Registry Key] Run key for startup – Write Value HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun352.exe
- [File Path] suspect file paths – C:Users[user]Desktopfile.exe, C:Users[user]AppDataLocalTemp[20char string].jpg
- [Process Name] terminated processes – agntsvc.exe (and other listed processes in the article)