[Virus/Malware Activity Report: Venus Ransomware]

A security breach believed to be in the form of Venus ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

Venus ransomware

The ransomware in question is called Venus and appears to be changing all files with the extension .venus.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Force quit a specific process

  Forcefully closes related programs such as DB and document related programs.

  
  [Figure 3 Force termination of specific process]

• network test

  Check the communication status using the ping command.

  
  [Figure 4 Network test]

• Register startup program

  Register it in the registry to run again when Windows restarts.

  
  [Figure 5 Startup program registration]

  
  [Figure 6 Startup program registration]

  
  [Figure 7 Source: https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getdrivetypea]

Infection results

The guide file is created and executed as mshta.exe in the system folder and README.html in the root drive. When encryption is performed, the files are changed to <.existing extension.venus>.

[Figure 8 Infection result 1]

[Figure 9 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

[Figure 11 Block message]

Watch the Venus blocking video