Public Remote Desktop services under attack from Venus ransomware

Windows devices are being encrypted by the new Venus ransomware, which has been compromising publicly exposed Remote Desktop services, according to BleepingComputer. Windows Remote Desktop protocol has been leveraged by threat actors behind Venus ransomware to infiltrate corporate networks, even in the event of non-standard port number usage for the service. Thirty-nine processes related to Microsoft Office apps and database services are being attempted to be terminated upon the execution of Venus ransomware, which will also proceed with event log and Shadow Copy Volume deletion, as well as Data Execution Prevention deactivation. Venus ransomware has also been observed to include a "goodgamer" filemarker and additional information to encrypted files. Meanwhile, an HTA ransom note will be created by the ransomware within the %Temp% folder and will be displayed immediately after device encryption. Venus ransomware's ransom note includes a TOX address and email address, as well as a potential encrypted decryption key.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.