Sikov - stock.adobe.com

HC3 Warns Healthcare Sector of Venus Ransomware Variant

At least one US healthcare organization has suffered a Venus ransomware attack recently, HC3 noted.

In a new analyst note, the Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare sector to remain vigilant against Venus ransomware. The variant, also known as GOODGAME, has been active since at least August 2022.

At least one US healthcare entity has fallen victim to a Venus ransomware attack recently. The threat actors have been observed targeting publicly exposed Remote Desktop Services to encrypt Windows devices.

“When executed, the Venus ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall,” the analyst note stated.

“The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a 'goodgamer' filemarker and other information are added to the end of the file.”

HC3 also pointed out that the Venus ransomware variant does not appear to be associated with VenusLocker, and its operators are not operating as a ransomware-as-a-service (RaaS) model.

“Despite this, the ransomware uses a wide variety of contact email addresses and TOX IDs, indicating it is likely that multiple threat actors are distributing the ransomware,” the note continued.

Ransom demands have been known to start at 1 Bitcoin (BTC) or less than $20,000.

HC3 recommended that healthcare organizations continue to remain vigilant and employ security best practices to defend against this variant and others.

Healthcare entities should implement ransomware recovery plans, network segmentation, and multi-factor authentication (MFA). Organizations may also want to consider implementing MFA for Remote Desktop Protocol (RDP) access and placing RDP behind a VPN.

In addition, healthcare organizations should maintain reliable, offline backups, disable hyperlinks in received emails, and install patches and updates as soon as they are released.

Next Steps

Dig Deeper on Cybersecurity strategies