Venus, one of the latest ransomware groups in the new panorama


In the new panorama of ransomware groups, Venus is certainly the group that most affected in terms of organization and way of operating. A group that, to communicate with their victims, does not like to use the Tor channel, but directs their victims to chat and IM channels such as Tox, Jabber or e-mail. The first file samples were found and analyzed at the beginning of last August and this period also coincides with the birth of the group.

We have observed that the main, but not the only one, vector used by Venus to enter victims’ computer networks is the Remote Desktop Protocol (RDP), a proprietary Microsoft protocol that helps an administrator manage remote devices. A practice often used by almost all ransomware groups. A way to infiltrate networks that does not present high costs unlike, for example, “phishing campaigns”.

As previously written, the RDP is the tool mainly used by Venus, but not the only one, as he himself confirmed. Another feature of Venus is the affiliation to affiliate programs (RaaS), also in this case the ransomware group has confirmed it.

They have confirmed to us that they do not attack government institutions, education or health related entities unlike what is reported in a report published by the Health Sector Cybersecurity Coordination Center (HC3) and that it is not linked to political groups.

Below is our interview with the Venus ransomware group

SuspectFile – During the first ten months of 2022 we saw dozens of new ransomware groups appear, many of which disappeared within a few months, while others are still very active, such as Black Basta, RansomHouse, BianLian, Royal, and others. Some analysts and journalists in this sector claim that the ransomware phenomenon has gone down in 2022, a claim which is not consistent with SuspecFile. We believe that this phenomenon is constantly growing, especially in the medical and educational sectors.
What can you tell us about it? What is your opinion?

Venus – We don’t touch government agencies.

SuspectFile – We’ve seen your first samples since August of this year, does that mean Venus was formed two months ago?

Venus – Yes we are a new group.

SuspectFile – We’ve seen that different groups prefer to hit certain targets, such as educational and medical. Do you have a specific target or is one victim as good as another for you?

Venus – we only work on commercial companies

SuspectFile – After we published the code stolen from LockBit 3.0, we saw the birth of many new groups, many of which also recycled what was written in the LockBit ransom notes. We haven’t seen anything like that in your note, can we say the same about the code present in your ransomware?

Venus – we don’t copy the style of our peers

SuspectFile – According to industry analysts, your specialty, your signature handwriting, is that you attack victims through RDP logins. What can you tell us about that?

Venus – RDP is one way to infiltrate.

SuspectFile – Your ransom notes, readme.txt, have some of your contact information such as email, jabber and Tox, but we haven’t seen a .onion blog or a Telegram channel. What channels do you use to list your victims, if any?

Venus – The channels are different, you listed them

SuspectFile – keeps a close eye on cyberattacks in healthcare and education, can you tell us if you’ve hit a public or private hospital or educational institution to date?

Venus – we don’t touch public institutions

SuspectFile – Is Venus Ransomware a closed group or does it have affiliates (RaaS)?

Venus – There are affiliate programs.

SuspectFile – In the recent past, some well-known ransomware groups have disbanded for a variety of reasons, including disagreement with the group’s “guidelines” or because “they felt the breath of the police on their necks.” Was Venus Ransomware born out of the disbanding of other groups?

Venus – No

SuspectFile – was able to read chats between the victim and the group’s operator. On several occasions, there were communication problems during the conversations. The victim asked for incontrovertible evidence of the data leak and a complete list of directories under attack, but the operator could not respond because all the data was in the hands of an affiliate. Don’t you think situations like this can undermine the credibility of the ransomware group?

Venus – The data is stored on the supervisor’s server, only he has access

SuspectFile – How do you feel about other RaaS groups, is there something your group does not share in their modus operandi?

Venus – We don’t care about other groups.

SuspectFile – Do you consider yourself a politically affiliated ransomware group?

Venus – No, we are not affiliated with politics.

SuspectFile – Like some other ransomware groups, do you or your affiliates also rely on or make your choices based on the language of the operating system, or do you care about the nationality of the victim?

Venus – no, language and nationality are not important

SuspectFile – In fact, most companies in any industry invest little or nothing in IT security. But beyond that, what are the major flaws that companies need to intervene in?

Venus – no answer ) we wouldn’t have a job )

SuspectFile – Do you think that some cybersecurity companies that companies entrust with the role of “negotiator” end up making a deal with a ransomware group in secret and for a fee?

Venus – yes, it always happens, because it is impossible to decrypt our encryption without a master key which only we have

SuspectFile – What reasons, if any, besides money, led you to choose this path in life?

Venus – we do not increase the amount after payment.
we always decrypt and remove data from servers
we work on reputation, we are only interested in money
after paying 1000% “client” gets decryption program