SafeBreach Adds/Updates Coverage for New Malware and Ransomware Variants

Nov 30, 2022

Author: Kaustubh Jagtap, Product Marketing Director, SafeBreach

The SafeBreach Platform has been updated with coverage for several newly discovered threats including novel malware and ransomware variants. SafeBreach customers can select and run these attacks from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.

Venus Ransomware

This ransomware variant (also known as GOODGAME) has been active since August 2022 and has targeted victims worldwide. Threat actors leveraging Venus ransomware are targeting publicly exposed Remote Desktop Services (RDP), including those running on non-standard TCP ports to encrypt Windows devices. Based on the information available, Venus ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. The ransomware will delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension. In each encrypted file, a ‘goodgamer’ filemarker and other information are added to the end of the file. Open-source reports indicate that initial ransom demands may start around 1 BTC or less than USD $20,000. Samples in the wild have been observed contacting IP addresses in various countries including the US, Great Britain, Denmark, France, Ireland, the Netherlands, Russia, and Japan.

SafeBreach Coverage of Venus Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the new ransomware variant.

  • #8015 – Write Venus ransomware malware to disk (Host-Level)

  • #8026 – Transfer of Venus ransomware malware over HTTP/S (Lateral Movement)

  • #8027 – Transfer of Venus ransomware malware over HTTP/S (Infiltration)

  • #8028 – Email Venus ransomware malware as a ZIP attachment (Lateral Movement)

  • #8029 – Email Venus ransomware malware as ..

    Support the originator by clicking the read the rest link below.