Get in Touch
Severity level: High – Compromise may result in encryption and loss of sensitive customer and business data.
The US department of health has warned of attacks from Venus ransomware against the health sector. The warning comes during an increase in targeted Venus attacks against several organisations within the US sector. Analyst notes from the Health Cyber Security Coordination Center (HC3) stated that at least one incident of Venus has been deployed against US healthcare sector networks.
Venus is a relatively new ransomware, first reported back in August 2022 and has been seen in multiple attacks across the world.
Venus ransomware is not regarded as a Ransomware-as-a-Service (RaaS) and no data leak site is known to exist.
In recent attacks, Venus is reportedly known to exploit the victims’ public-facing remote desktop services to encrypt Windows devices.
Successful exploitation will enable attackers to breach secure networks, steal data and encrypt devices. Standard ransomware tactics are to extort the victim with the threat of data leaks. However, due to the lack of known Venus leak sites, there is a realistic possibility Venus may instead target critical operating systems to leverage payment by hindering essential patient services.
A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide additional protection against ransomware threats such as Venus. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.
If compromised, the ransomware will automatically change the system desktop background and produce a ransom note labeled “README.txt”. The file contains an email for the victim to contact and request their files back.
Containment, Mitigations & Remediations
As stated above, the main method of reducing the threat of Venus is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.
Organisations can also perform routine back-ups of sensitive data that is needed to run the business and to keep a copy offline in case back-ups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with little disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the attacker if demands are not met.
Indicators of Compromise
Venus associated hashes:
Venus associated IPs:
Venus associated email:
Ransomware and their affiliated gangs are in a constant cycle of adaptation and notoriety. A relatively new variant of ransomware may emerge and within just a few months it achieves significant status as a high-profile threat. Venus is such an example. This ransomware poses a heightened threat to victim networks as there has not been enough time for security experts to fully dissect and learn its operating methods, and therefore an expansive library of Indicators of Compromise is still being compiled.
Due to the groups relatively new emergence, not much is known about the group. However, some evidence based assumptions can be made. Such as, the group is not known to have a dedicated leak site on the dark web, therefore, there is a realistic possibility the group will target data that is necessary for day to day operations, rather then sensitive patient data. The aim of encrypting operations data will almost certainly be to stop medical services and force payments to be made.
T1021.001 – Remote Services: Remote Desktop Protocol
T1070.001 – Indicator Removal: Clear Windows Event Logs
T1133– External Remote Services
T1486 – Data Encrypted for Impact
T1489 – Service Stop
T1490 – Inhibit System Recovery
T1562.001 – Impair Defenses: Disable or Modify Tools