HC3 Analyst Note Warns Healthcare About Venus Ransomware

Nov. 11, 2022
The Health Sector Cybersecurity Coordination Center has issued an analyst note on Venus Ransomware that targets publicly exposed remote desktop services to encrypt Windows devices.

On Nov. 9 the Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note on Venus ransomware that targets publicly exposed remote desktop services.

The note states that “HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The threat actors behind Venus ransomware operations are known to target publicly exposed Remote Desktop Services to encrypt Windows devices. This report provides additional information, indicators of compromise, techniques and corresponding mitigations associated with Venus ransomware.”

Venus ransomware, according to the note, began operating in mid-August of 2022 and has encrypted victims on a global scale. Venus ransomware, when executed, will try to terminate 39 processes associated with database servers and Microsoft Office applications.  “As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall,” the release adds. “The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a 'goodgamer' filemarker and other information are added to the end of the file.”

The note suggests mitigations such as implementing a recovery plan, implementing network segmentation, and regularly backing up data.

An analyst’s comment was included in the note, saying that “The Venus ransomware variant, also known as GOODGAME, should not be confused with VenusLocker which uses the ‘.venusf’ file extension during encryption. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time. Despite this, the ransomware uses a wide variety of contact email addresses and TOX IDs, indicating it is likely that multiple threat actors are distributing the ransomware. Open source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.”

Sponsored Recommendations

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...

Quantifying the Value of a 360-Degree view of Healthcare Consumers

To create consistency in how consumers are viewed and treated no matter where they transact, healthcare organizations must have a 360° view based on a trusted consumer profile...