Venus Ransomware | Intel 471 Skip to content

Venus Ransomware

Oct 20, 2022
Homepage Hero

Threat Summary

Venus Ransomware is a malware that started its operation in August 2022, which was reported on by the researchers at MalwareHunterTeam. On October 16th, 2022 BleepingComputer released a report detailing the techniques observed by the Venus Ransomware variant. The actors utilizing the ransomware variant are abusing publicly-exposed Remote Desktop services to carry out their encryption, appending the ".venus" extension to files that were encrypted on compromised hosts. Victims have been observed around the world, however specific countries or organizations have not been explicitly identified as of yet. Venus Ransomware is understood as active, with new samples being seen submitted on a daily basis to the ID Ransomware website run by the MalwareHunterTeam - thus the variant poses a significant and present risk that should be ascertained and prepared for, especially if your environment has publicly facing RDP services.

Threat Synopsis - Venus Ransomware

Venus Ransomware, was observed and examined by MalwareTeamHunter researchers in October of 2022, abusing public facing Remote Desktop services on victim machines to gain initial access. The variant utilizes TTPs that are not unconventional, but are still operative and have been observed to be active as of late by researchers. At its outset, the variant targets and exploits Windows Remote Desktop protocol services that are exposed publicly - even abusing non-standard port numbers that are not standard.

After initial access is achieved and the variant is executed, the malware will attempt to kill "39 processes that are associated with database servers and Microsoft Office applications..." to allow the encryption of files without any connected processes that might impede on the action. In addition, it will attempt to hinder system recovery by deleting shadow copies, event logging, and disabling of Data Execution Prevention. Thereafter, the malware will encrypt files and append the ".venus" extension to the afflicted files. It was also noted that the variant will add a "goodgamer" file marker at the end of the encrypted files. An HTA ransom note will be then spawned in the %Temp% folder and displayed upon completion of the encryption process.

GET THE FREE HUNT PACKAGES!
CHECK OUT OTHER EMERGING THREATS >
Share this article
All Resources

Featured Content

Hacktivism listing
Blog Articles
Pro-Russian hacktivism: Shifting alliances, new groups and risks
Intel 471 Logo 2024
Blog Articles
mommy Access Broker
Intel 471 Logo 2024
Webinars
Intelligence-Driven Threat Hunting Workshop: Analyzing Malware Behaviors
Adobe Stock 595371799 Editorial Use Only
Blog Articles
NATO summit commences in tandem with tense cyber, kinetic conflict
UK 2025 Threat Landscape Report Listing
Whitepapers
UK 2025 Threat Landscape Report
Intel 471 Logo 2024
News
Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.

© 2025 Intel 471  |  Privacy Policy  |  Terms of Service  |  Legal Agreements  |  Modern Slavery and Human Trafficking Statement