The Health Sector Cybersecurity Coordination Center (HC3) has lately provided information on the tactics, techniques, and procedures related to Venus ransomware attacks. It gave a number of tips about mitigations that healthcare groups can carry out to enhance their protection against cyberattacks. Venus ransomware, also known as GOODGAME, is a fairly new threat. It was first discovered in the middle of August 2022; but it has been used in attacks worldwide and currently, there are submissions of ransomware variants daily.
Although the threat group is not identified to particularly attack the healthcare industry, there was one attack on the healthcare sector in America. The main strategy of preliminary access is taking advantage of publicly open Remote Desktop services in order to encrypt Windows devices, such as Remote Desktop on both standard and non-standard TCP ports.
When access is acquired, the ransomware will try to stop 39 processes related to database servers and Microsoft Office programs. Then, event logs will be erased together with Shadow Copy Volumes. Data Execution Prevention will be deactivated on breached endpoints. Files are encrypted utilizing RSA and AES algorithms. The encrypted files get the .venus extension, a goodgamer filemarker along with other data included in the file.
The threat actor states that it downloads data prior to encrypting files, though no data leak website has been linked to the group. This doesn’t seem to be a ransomware-as-a-service operation, however, according to the number of attacks and IP addresses related to group it seems to comprise of a number of persons.
Considering that the group attacks publicly open Remote Desktop/RDP, healthcare groups must make sure to protect these services with a firewall. Windows 11 users are secured against brute force attacks to a certain degree, because login attempts are restricted on auto-pilot. Regarding other Windows versions, rate limiting ought to be applied to restrict the number of attempts that would allow an attacker trying to hook up to Remote Desktop services. It is important to set strong, unique passwords for Remote Desktop services, enforce multi-factor authentication (MFA), and secure RDP using a Virtual Private Network (VPN).
The problems brought on by a successful attack could be significantly restricted by using network segmentation. Additionally, be sure to adopt the 3-2-1 approach for data backup. Make one primary backup and two copies. Keep the backups on 2 different media. One copy should be kept securely offsite. Ideally, backups must be encrypted and password-protected. They must not be accessible from where the information is located.
Although these attacks focus on Remote Desktop services, security procedures must be applied to defend against other attack vectors, for example, email and software vulnerabilities exploitation. Make sure an email security option is set up, look at putting a banner to emails that came from external sources, deactivate hyperlinks in email messages, give employees regular security awareness training, make sure to apply patches promptly, have the newest software version installed, and be sure to require administrator access prior to installing software programs. Antivirus software must additionally be set up on all endpoints.
For additional information, read the HC3 Venus Ransomware Analyst Note.