According to researchers, publicly exposed remote desktop services are being exploited to deploy new ransomware on targeted devices.
A cybersecurity researcher by the name of linuxct recently contacted MalwareHunterTeam to try to get more information about a ransomware strain they discovered called Venus.
The team later discovered that ransomware operators have been active since mid-August 2022, targeting victims worldwide by accessing a corporate network via Windows Remote Desktop Protocol, even when an organization uses a unusual port number for the service.
Hidden behind a firewall
The best way to protect against such attacks, the researchers concluded, is to put these services behind a firewall. Additionally, remote desktop services should not be exposed publicly and would ideally only be accessible through a virtual private network (VPN).
As for the Venus ransomware, the modus operandi is nothing extraordinary for this type of malware. Once network mapping, endpoint identification, and other reconnaissance work is complete, the malware will kill 39 processes used by database servers and Office applications. Event logs and snapshot volumes would be deleted, data execution prevention would be disabled, and all files would be encrypted to have the .venus extension.
Finally, the ransomware would create a ransom note, demanding payment in cryptocurrency in exchange for the decryption key. Venus would typically require payment in bitcoin, and the latest information indicates that the group is asking for 0.02 BTC, or around €380, for the decryption key.
The end of the ransom note contains a base64-encoded blob, which researchers believe is likely the encrypted decryption key, and new submissions are uploaded daily to ID Ransomware,
Last year, another ransomware strain used the same encrypted file extension, but researchers are not sure whether or not it is the same ransomware variant.
Via: BleepingComputer (Opens in a new tab)