open to the public remote desktop Researchers say the services are being misused to spread new ransomware on targeted endpoints.
A cybersecurity researcher named linuxct recently contacted MalwareHunterTeam to try to find out more about ransomware They discovered a breed called Venus.
The team later found that the ransomware operators have been active since mid-August 2022, targeting victims around the world by accessing the corporate network through the Windows Remote Desktop protocol, even when the organization uses an unusual port number for the service.
Hide behind a firewall
The researchers concluded that the best way to protect against such attacks is to put these services behind a Firewall. Moreover, remote desktop services should not be disclosed to the public, and access to them would ideally only be through a VPN (vpn).
For Venus ransomware, the way it works is not out of the ordinary for this type of malware. Once you have completed network mapping, endpoint identification, and other survey work, Malware It will kill 39 processes used by database servers and Office applications. Event logs and backup volumes will be deleted, data execution prevention will be disabled, and all files will be encrypted to bear the .venus extension.
Finally, the ransomware will generate a ransom note demanding payment in cryptocurrencies in exchange for a decryption key. Venus usually asks for Bitcoin to be paid, and the latest information indicates the group is requesting 0.02 BTC, or roughly $380, for the decryption key.
The end of the ransom note contains a base64-encrypted blob, which researchers believe is most likely the encrypted decryption key, and new transmissions are uploaded to the ID ransomware daily,
Last year, there were another series of ransomware using the same encrypted file extension, but researchers aren’t sure if it’s the same ransomware variant.
Across: Computer (Opens in a new tab)