Summary of Venus Ransomware

  • Venus ransomware emerged in mid-2021.
  • Current intelligence indicates that Venus is an evolution or replacement for Zeoticus ransomware.
  • Venus is not sold as a traditional RaaS, but is rather an all-inclusive package including compiled binary and access to decryptors.
  • Venus ransomware does not currently host a victim shaming or data hosting blog or site.

What Does Venus Ransomware Target?

  • Large enterprises, high-value targets
  • Small and medium businesses (SMBs)
  • Targeting will vary depending on subscriber (affiliate)

How Does Venus Ransomware Spread?

  • Phish and spear phishing emails
  • Exposed and vulnerable applications and services (RDP)
  • Third-party framework (e.g., Empire, Metasploit, Cobalt Strike)

Venus Ransomware Technical Details

Similar to Zeoticus, Venus ransomware is available as a ‘complete’ package, meaning purchases allow access to a compiled binary and to respective decryptor packages. Venus does not currently host a public victim portal. Also similar to Zeoticus, victimology appears to be non-discriminatory. There is currently no data to suggest the targeting of any specific industries exclusively. Initial access is reported to be exposed and vulnerable RDP (Remote Desktop Protocol) services.

Upon execution, the malware spawns a number of additional processes to look for and terminate any inhibiting processes, set up the machine for encryption, and then ultimately launch the ransomware payload. It also attempts to cover tracks and block various recovery mechanisms. These include the usual culprits including VSS deletion. A hard-coded list of processes is compared against what is running on the target and any applicable processes are shutdown (via taskkill.exe).

How to Detect Venus Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Venus ransomware.

How to Mitigate Venus Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Venus.

How to Remove Venus Ransomware

  • SentinelOne customers are protected from Venus ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any malicious impact on the device and restore encrypted files to their original state.