Remote desktop services targeted by devious ransomware

>

Publicly exposed Remote Desktop services are being abused to deploy new ransomware on target endpoints, researchers say.

A cybersecurity researcher named linuxct recently contacted MalwareHunterTeam to learn more about a ransomware strain they discovered called Venus.

The team later found that the ransomware operators had been active since mid-August 2022, targeting victims around the world by accessing a corporate network through the Windows Remote Desktop protocol, even when an organization is using an unusual port number for the service. .

Hidden behind a firewall

The best way to protect against such attacks, researchers conclude, is to place these services behind a firewall. In addition, Remote Desktop Services should not be made public and should ideally be accessible only through a Virtual Private Network (VPN).

As for Venus ransomware, the modus operandi is nothing out of the ordinary for this type of malware. Once network mapping, endpoint identification, and other reconnaissance work is done, the malware will kill 39 processes used by database servers and Office applications. Event logs and shadow copy volumes would be deleted, Data Execution Prevention would be disabled, and all files would be encrypted to carry the .venus extension.

Finally, the ransomware would create a ransom note, demanding payment in cryptocurrencies in exchange for the decryption key. Venus would normally demand payment in bitcoin, and the latest information indicates that the group is demanding 0.02 BTC, or about $380, for the decryption key.

The end of the ransom note contains a base64-encoded blob, which researchers believe is most likely the encrypted decryption key, and new entries are uploaded to ID Ransomware daily,

Last year there was another ransomware strain that used the same encrypted file extension, but researchers aren’t sure if it’s the same ransomware variant or not.

Through: BleepingComputer (opens in new tab)

Related Post