reports from individuals on Bleeping Computer<\/a> who have found files on their home PCs and servers sporting the .venus extension.<\/p>\n\n\n\nTips for Prevention<\/h2>\n\n\n\n When you break it down, there are essentially three stages to the Venus attack. The first is the initial infection \u2013 the malicious software finding its way into your IT system. Then comes \u2018setting the scene\u2019 for encryption, and the third and final stage is the encryption itself. Everything prior to stage three can be recovered from if detected, but once your files are appended with the dreaded .venus\u2026 start saving for at least 1 BTC if you\u2019re an individual, and likely upwards of 20 if you\u2019re an enterprise. (Just kidding, it\u2019s advised to never pay a ransom.)<\/p>\n\n\n\n
Let\u2019s start with the initial-infection attack vector, Remote Desktop Protocol (RDP). It\u2019s a readily available direct path to another endpoint or network, and it provides native access to the victim\u2019s system. The credentials used to create an RDP connection are usually administrator credentials, meaning if an attacker manages to obtain these, they then have full privileges on the endpoint and can do a lot more damage.<\/p>\n\n\n\n
Tip 1: <\/strong>Stop using RDP.<\/p>\n\n\n\nIn fact, with Venus (and most ransomware), elevated privileges are a requirement for stage 2: successfully preparing for encryption. Venus has to stop services and processes, delete event logs and shadow volume copies, and disable critical software prior to encryption \u2013 none of these tasks can be completed by a standard user.<\/p>\n\n\n\n
Tip 2: <\/strong>Restrict administrative privileges.<\/p>\n\n\n\nWhile Venus ransomware is busy killing Windows services and deleting logs, the user remains blissfully unaware of what is happening because the exact tools that should alert them to the situation have been circumvented by the ransomware – it can proceed to the third and final encryption stage unhindered.<\/p>\n\n\n\n
Tip 3:<\/strong> Use a third-party Auditing tool.<\/p>\n\n\n\nTurning Tips into Tools<\/h2>\n\n\n\n It\u2019s all well and good to know what you need to be doing to protect your enterprise from threats such as Venus ransomware, but putting reliable protective measures in place is a whole other ball game.<\/p>\n\n\n\n
With Admin By Request Privileged Access Management (PAM) solution, each of the three stages of a Venus attack can be prevented or detected prior to successful encryption.<\/p>\n\n\n\n
From the User Portal, you can block any application from running on every endpoint that the software is deployed to. Create a blanket rule that RDP can\u2019t be used at your organization, and enforce it by Blocking the application:<\/p>\n\n\n\nIn terms of privileged access, Admin By Request allows for the instant revocation of your users\u2019 elevated privileges. All users become standard user \u2013 unless specified otherwise in the User Portal, where you can create granular access rules for different users, groups, and OUs.<\/p>\n\n\n\n
Users who require elevated privileges to do their jobs can remain productive (and protected) with Admin By request, which provides Just-In-Time elevation for individual applications upon request, rather than elevating the user or allowing them to have around-the-clock privileges.<\/p>\n\n\n\n
In terms of event logging, Venus is programmed to shut down the built-in Windows tools that would give you an idea of its presence in the system. Admin By Request offers a detailed Auditlog which tracks and records all elevated activity. Actions like stopping processes, deleting privileged data, and disabling key pieces of software are all logged with relevant details such as the time, file, and the user who enacted the change included. Alerting capabilities detect actions deemed suspicious, and send desktop or email notifications based on your configuration.<\/p>\n\n\n\n
TL, DR<\/h2>\n\n\n\n With Admin By Request deployed and configured appropriately, Venus ransomware would be unable to enact its attack plan on your endpoints and encrypt your organization\u2019s data.<\/p>\n\n\n\n
Download the\u00a0Admin By Request Free Plan<\/a>\u00a0or book a demo today to get started \u2013 and rest assured your enterprise won\u2019t be the next to make headlines.<\/p>\n","protected":false},"excerpt":{"rendered":"Initial infection via RDP, killing 39 processes, deleting event logs, then encryption – but all stages of the Venus ransomware attack can be prevented with the right tools.<\/p>\n","protected":false},"author":2,"featured_media":5532,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[89,80,83,90,91,81,82,62,79,85,86,87,88],"ppma_author":[9],"class_list":["post-5531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blogs","tag-criminal","tag-current-events","tag-cyber-attack","tag-cyber-criminal","tag-hacker","tag-healthcare","tag-malware","tag-microsoft","tag-ransomware","tag-rdp","tag-remote-desktop-protocol","tag-venus","tag-venus-ransomware","entry","has-media"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t
![\"\"\/](\"https:\/\/www.adminbyrequest.com\/Images\/Blogs\/VenusRansomNote.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/www.adminbyrequest.com\/Images\/Blogs\/Blocklist.png\")
<\/figure>\n\n\n\n