Publicly exposed Remote Desktop services are being abused to deploy new ransomware onto target endpoints, researchers are saying.
A cybersecurity researcher going by the name linuxct recently reached out to MalwareHunterTeam to try and learn more about a ransomware strain they discovered called Venus.
The team later found that the ransomware operators had been active since mid-August 2022, targeting victims across the world by gaining access to a corporate network through the Windows Remote Desktop protocol, even when an organization uses an unusual port number for the service.
Hiding behind a firewall
The best way to protect against such attacks, researchers concluded, is to put these services behind a firewall. What’s more, Remote Desktop Services shouldn’t be publicly exposed, and would ideally be accessible only through a Virtual Private Network (VPN).
As for Venus ransomware, the modus operandi is nothing out of the ordinary for this type of malware. Once network mapping, endpoint identification, and other reconnaissance work is done, the malware will kill 39 processes used by database servers and Office applications. Event logs and shadow copy volumes would get deleted, Data Execution Prevention would get disabled, and all files would be encrypted to carry the .venus extension.
Finally, the ransomware would create a ransom note, demanding payment in cryptocurrencies in exchange for the decryption key. Venus would usually demand payment in bitcoin, and the latest information points to the group demanding 0.02 BTC, or approximately $380, for the decryption key.
The end of the ransom note holds a base64 encoded blob, which researchers believe is most likely the encrypted decryption key, and new submissions are being uploaded to ID Ransomware daily,
Last year, there was another ransomware strain using the same encrypted file extension, but researchers are not sure if it’s the same ransomware variant or not.
Via: BleepingComputer (opens in new tab)