The malicious actors behind the relatively new Venus ransomware are hacking publicly exposed Remote Desktop Services to encrypt Windows devices.
The Venus Ransomware seems to have started operating in mid-August 2022 and has since encrypted victims worldwide. However, there was another ransomware from 2021 using the same encrypted file extension, but it is unclear if they are related.
Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol.
Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the services.
How it impacts:
When executed, Venus ransomware will attempt to kill thirty-nine processes associated with database servers and Microsoft Office applications.
The ransomware will also delete event logs, shadow copy volumes and disable data execution prevention using the following command.
This will create an HTA ransom note in the %Temp% folder that will automatically appear when the ransomware has finished encrypting the device.
Currently, Venus ransomware is quite active, with new submissions uploaded to ID Ransomware daily.