Venus Ransomware Targets Healthcare - Warns HHS

What does the alert say?

• Although the ransomware operators are not believed to operate as a RaaS model, it uses a wide variety of contact email addresses and TOX IDs, which indicates that it is possibly the work of multiple threat actors.
• The ransomware has one new variant namely GOODGAME that uses the .venus extension. It is entirely different from VenusLocker malware that uses the ‘.venusf’ file extension during encryption.
• This operation does not have any associated data leak site so far.

Impact and ransom demand

• Its samples have been observed contacting IP addresses in various countries, including the U.S., the Netherlands, Great Britain, Denmark, France, Ireland, Russia, and Japan.
• Open-source reports indicate that its initial ransom demands start around 1 BTC or less than $20,000.

Attack capabilities

• The threat actors behind the ransomware operations are known for targeting publicly exposed Remote Desktop services to encrypt victims' Windows devices.
• When executed, the Venus ransomware attempts to terminate processes associated with database services and Microsoft Office apps. In addition, it deletes event logs, Shadow Copy Volumes, and disables Data Execution Prevention.
• It uses AES and RSA algorithms for file encryption and adds the .venus extension. The recent  GOODGAME variant adds a goodgamer filemarker and other information to the end of each encrypted file.

Security tips