October 2, 2023

Researchers have found that the operators of Crysis ransomware are actively utilizing the Venus ransomware in their operations.

Both Crysis and Venus are well-known for targeting remote desktop services that are externally exposed, and it has been revealed that the attacks are being launched via RDP by the security logs.

Apart from this, Crysis and Venus are not alone, as the threat actor also deployed several other tools like:-

  • Port Scanner
  • Mimikatz

While such malicious tools can also target the infected systems within the internal network of the company. 


Upon getting access, the attackers first attempted to encrypt the infected systems with Crysis ransomware. However, after failing to do so, the second attempt at encryption was done using the Venus ransomware.

If the Crysis ransomware encrypts the files, the victims are shown a ransom note with an onion email address to contact the threat actors. If the files are encrypted using Venus ransomware, a message stating that threat actors stole information from the system and urging the users to make contact within 48 hours is displayed.

Venus ransomware terminates various programs such as office, email clients, and databases during the encryption process.


Here below are the tools that are used in the attacks:

  • Venus Ransomware
  • Crysis Ransomware
  • Mimikatz
  • Web Browser Password Viewer – NirSoft
  • Mail PassView – NirSoft
  • VNCPassView – NirSoft
  • Wireless Key View – NirSoft
  • BulletsPassView – NirSoft
  • RouterPassView – NirSoft
  • MessenPass (IM Password Recovery) – NirSoft
  • Remote Desktop PassView – NirSoft
  • Network Password Recovery – NirSoft
  • Network Share Scanner

Threat actor copies files to the Download folder, including bild.exe_ for Venus ransomware, and to encrypt additional files it terminates the following things:-

  • Office
  • Email clients
  • Databases

On successful deployment, the Venus ransomware alters the desktop, and then it presents the user with a README file that warns info is stolen, files encrypted, and prompts users to establish contact within 48 hours.

Steps to ensure protection

  • Make sure to deactivate unused RDP to reduce attempts.
  • Always use strong passwords.
  • Make sure to change passwords periodically.
  • Ensure to update V3 to prevent malware

As the use of RDP connections grow exponentially, hackers are relentlessly carrying remote desktop protocol attacks to access and exploit enterprise networks. Organizations must follow easy-to-implement methods to prevent such attacks. This involves implementing multi-factor authentication across all devices and systems, monitoring RDP server logs frequently, and changing default credentials with strong passwords.

Indicators of Compromise

  • 0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
  • 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
  • 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
  • 49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71

Leave a Reply

%d bloggers like this: