Get in Touch
Venus ransomware targets US healthcare sector
Target Industry
Healthcare sector
Overview
Severity level: High – Compromise may result in encryption and loss of sensitive customer and business data.
The US department of health has warned of attacks from Venus ransomware against the health sector. The warning comes during an increase in targeted Venus attacks against several organisations within the US sector. Analyst notes from the Health Cyber Security Coordination Center (HC3) stated that at least one incident of Venus has been deployed against US healthcare sector networks.
Venus is a relatively new ransomware, first reported back in August 2022 and has been seen in multiple attacks across the world.
Venus ransomware is not regarded as a Ransomware-as-a-Service (RaaS) and no data leak site is known to exist.
In recent attacks, Venus is reportedly known to exploit the victims’ public-facing remote desktop services to encrypt Windows devices.
Impact
Successful exploitation will enable attackers to breach secure networks, steal data and encrypt devices. Standard ransomware tactics are to extort the victim with the threat of data leaks. However, due to the lack of known Venus leak sites, there is a realistic possibility Venus may instead target critical operating systems to leverage payment by hindering essential patient services.
Vulnerability Detection
A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide additional protection against ransomware threats such as Venus. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.
If compromised, the ransomware will automatically change the system desktop background and produce a ransom note labeled “README.txt”. The file contains an email for the victim to contact and request their files back.
Affected Products
WindowsOS
Containment, Mitigations & Remediations
As stated above, the main method of reducing the threat of Venus is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.
Organisations can also perform routine back-ups of sensitive data that is needed to run the business and to keep a copy offline in case back-ups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with little disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the attacker if demands are not met.
Indicators of Compromise
Venus associated hashes:
– 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
– 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
Venus associated IPs:
– 185.125.188.58
– 185.125.190.44
– 185.125.190.45
– 104.97.15.51
– 78.155.222.146
– 139.162.120.150
Venus associated email:
– getdecrypt[@]disroot[.]orx
Threat Landscape
Ransomware and their affiliated gangs are in a constant cycle of adaptation and notoriety. A relatively new variant of ransomware may emerge and within just a few months it achieves significant status as a high-profile threat. Venus is such an example. This ransomware poses a heightened threat to victim networks as there has not been enough time for security experts to fully dissect and learn its operating methods, and therefore an expansive library of Indicators of Compromise is still being compiled.
Threat Group
Due to the groups relatively new emergence, not much is known about the group. However, some evidence based assumptions can be made. Such as, the group is not known to have a dedicated leak site on the dark web, therefore, there is a realistic possibility the group will target data that is necessary for day to day operations, rather then sensitive patient data. The aim of encrypting operations data will almost certainly be to stop medical services and force payments to be made.
Mitre Methodologies
T1021.001 – Remote Services: Remote Desktop Protocol
T1070.001 – Indicator Removal: Clear Windows Event Logs
T1133– External Remote Services
T1486 – Data Encrypted for Impact
T1489 – Service Stop
T1490 – Inhibit System Recovery
T1562.001 – Impair Defenses: Disable or Modify Tools