An analyst note has been released by the Health Sector Cybersecurity Coordination Center (HC3) to raise health organizations’ awareness of the Venus ransomware. In the note, the HC3 shares information about the strategies, tactics, and procedures used in Venus ransomware attacks and a number of measures that organizations within the health sector can take to improve their cybersecurity.
According to the HC3, Venus ransomware was first detected in August 2022. However, since then, organizations worldwide have been subject to Venus ransomware attacks. When activated, the Venus ransomware attempts to erase 39 processes linked to Microsoft Office and database servers. For healthcare organizations, it is essential to hide these services behind a firewall because the ransomware appears to be targeting publicly accessible Remote Desktop services, even those using irregular TCP ports. Using the following command, the ransomware will also erase event logs, erase Shadow Copy Volumes, and disable Data Execution Prevention. The ransomware adds the “.venus” extension and encrypts files using the AES and RSA algorithms. An additional filemarker called “goodgamer” and other data are attached at the end of each encrypted file. The threat actor claims to download data prior to encrypting files, although the group has not been linked to any data leak websites. Furthermore, this does not appear to be a ransomware-as-a-service organization, despite the fact that the group looks to compose of several individuals based on the volume of cyberattacks and related IP addresses. According to open source reports, contacting IP addresses are located in various countries including the US, Great Britain, and France. With the first ransom demands amounting to approximately 1 BTC, or less than $20,000 USD.
The HC3 has recommended several mitigations to defend against Venus ransomware attacks. Healthcare organizations have been advised to implement a comprehensive recovery plan to maintain and retain several copies of confidential, sensitive data in physically separated servers. Organizations should also implement network segmentation, maintain offline backups of data, ensure copies of sensitive data or not accessible for modification or deletion, install and regularly update antivirus software and operating systems, disable hyperlinks in received emails, enforce multi-factor authentication, and adhering to the National Institute for Standards and Technology’s standards for developing and managing password policies.