The Health Sector Cybersecurity Coordination Center (HC3) has recently shared details of the tactics, techniques, and procedures associated with Venus ransomware attacks, and has made several recommendations on mitigations that healthcare organizations can implement to improve their defenses against attacks. Venus ransomware, aka GOODGAME, is a relatively new threat, having first been identified in mid-August 2022; however, the ransomware has been used globally in attacks and there are now submissions of the ransomware variant every day.
While the threat group is not known to specifically target the healthcare sector, there has been at least one attack on the healthcare industry in the United States. The primary method of initial access, as is the case with several ransomware groups, is exploiting publicly exposed Remote Desktop services to encrypt Windows devices, including Remote Desktop on standard and non-standard TCP ports.
Once access has been gained, the ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. Event logs will be deleted along with Shadow Copy Volumes, and Data Execution Prevention will be disabled on compromised endpoints. Files are encrypted using AES and RSA algorithms, and encrypted files have the .venus extension, with a goodgamer filemarker and other information added to the file.
The threat actor claims to download data before encrypting files, although no data leak site has been associated with the group. This also does not appear to be a ransomware-as-a-service operation, although based on the number of attacks and IP addresses associated with group it appears to consist of several individuals.
Since publicly exposed Remote Desktop/RDP is attacked, healthcare organizations should ensure these services are protected by a firewall. Windows 11 users will be protected against brute force attacks to some degree, as login attempts are automatically limited. For other Windows versions, rate limiting should be implemented, as this will limit the number of attempts an attacker can make to try to connect to Remote Desktop services. Strong, unique passwords should be set for Remote Desktop services, multi-factor authentication (MFA) should be enforced, and consider putting RDP behind a Virtual Private Network (VPN).
The damage caused by a successful attack can be greatly limited by implementing network segmentation, and best practices should be followed for data backups – The 3-2-1 approach is recommended: Create one primary backup and two copies, store the backups on at least 2 different media, with one copy stored securely offsite. Backups should ideally be encrypted, and certainly password-protected, and should not be accessible from the system where the data resides.
While these attacks target Remote Desktop services, security measures should be implemented to protect against other attack vectors such as email and the exploitation of software vulnerabilities. Ensure an email security solution is in place, consider adding a banner to emails from external sources, disable hyperlinks in emails, provide regular security awareness training to the workforce, ensure patches are applied promptly, make sure the latest version of software is installed, and ensure that administrator access is required to install software. Antivirus software should also be installed on all endpoints.
Further information can be found in the HC3 Venus Ransomware Analyst Note.
The post HC3 Sounds Alarm About Venus Ransomware appeared first on HIPAA Journal.