Remote desktop services targeted by devious ransomware

Researchers urging businesses to keep remote desktop behind firewalls

Publicly exposed Remote Desktop services are being abused to deploy new ransomware onto target endpoints, researchers are saying.

A cybersecurity researcher going by the name linuxct recently reached out to MalwareHunterTeam to try and learn more about a ransomware strain they discovered called Venus.

The team later found that the ransomware operators had been active since mid-August 2022, targeting victims across the world by gaining access to a corporate network through the Windows Remote Desktop protocol, even when an organization uses an unusual port number for the service.

Hiding behind a firewall

The best way to protect against such attacks, researchers concluded, is to put these services behind a firewall. What’s more, Remote Desktop Services shouldn’t be publicly exposed, and would ideally be accessible only through a Virtual Private Network (VPN).

Finally, the ransomware would create a ransom note, demanding payment in cryptocurrencies in exchange for the decryption key. Venus would usually demand payment in bitcoin, and the latest information points to the group demanding 0.02 BTC, or approximately $380, for the decryption key. 

The end of the ransom note holds a base64 encoded blob, which researchers believe is most likely the encrypted decryption key, and new submissions are being uploaded to ID Ransomware daily,

Last year, there was another ransomware strain using the same encrypted file extension, but researchers are not sure if it’s the same ransomware variant or not.

Leave a Reply

Your email address will not be published. Required fields are marked *