Publicly exposed Remote desktop Researchers say the services are being abused to deploy new ransomware on targeted endpoints.
A cybersecurity researcher going by the moniker linuxct recently reached out to MalwareHunterTeam to try and learn more about ransomware a strain they discovered called Venus.
The team later discovered that the ransomware operators had been operating since mid-August 2022, targeting victims worldwide by accessing the corporate network via Windows Remote Desktop Protocol, even though the organization was using an unusual port number for the service.
Hiding behind a firewall
The best way to defend against such attacks, the researchers concluded, is to put these services behind a firewall. Furthermore, Remote Desktop Services should not be public, and ideally would only be accessible over a virtual private network (VPN).
As for the Venus ransomware, the modus operandi is not unusual for this type of malware. After network mapping, endpoint identification, and other reconnaissance work is done malware will kill 39 processes used by database servers and Office applications. Event logs and shadow copy volumes will be deleted, data execution prevention will be disabled, and all files will be encrypted with the .venus extension.
Finally, the ransomware will create a ransom note demanding payment in cryptocurrencies in exchange for the decryption key. Venus usually requires payment in Bitcoin, and the latest information indicates that the group is demanding 0.02 BTC, or roughly $380, per decryption key.
At the end of the ransom note is a base64-encoded blob that researchers believe is most likely an encrypted decryption key, and new stuff is being uploaded to ID Ransomware daily.
Another strain of ransomware appeared last year that uses the same encrypted file extension, but researchers aren’t sure if it’s the same ransomware variant.
Via: BleepingComputer (opens in a new tab)
https://www.techradar.com/news/remote-desktop-services-targeted-by-devious-ransomware/