November 13, 2022

The Health Sector Cybersecurity Coordination Center (HC3) recently shared information on tactics, techniques, and procedures used in Venus ransomware attacks, as well as some harm reduction recommendations that health organizations can use to strengthen their defenses against attacks.

The rise of the Venus ransomware, also known as GOODGAME, is the reason for these warnings. The ransomware, which was first identified in mid-August 2022, is a relatively new threat; however, the ransomware was used worldwide in attacks, and there are now submissions of the ransomware variant every day.

Threat actors are said to be encrypting Windows devices by using publicly exposed Remote Desktop services, including Remote Desktop on standard and non-standard TCP ports, as is the case with several ransomware groups.

If the ransomware gains access, it will try to terminate 39 processes related to database servers and Microsoft Office applications. Since the ransomware appears to aim at publicly exposed Remote Desktop services, including those that run on non-standard TCP ports, these services must be protected by a firewall.

Event logs and shadow copy volumes are deleted, and data execution prevention is disabled on compromised endpoints. Files are encrypted using the AES and RSA algorithms, and encrypted files have the.venus extension, as well as a goodgamer filemarker and other information.

HC3 also warns that “the operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time.”

The sources for this piece include an article in BleepingComputer.