The current cyberthreat landscape is an ever dynamic threat, we have state-sponsored cyberthreats and very sophisticated cybercriminals to defend against. These threats come with their own motivations and objectives. We have all come to know ransomware, which, according to our study published earlier this month, has become one of the biggest cybersecurity threats in the world.

Almost every week we see new ransomware samples or new and improved versions of previous samples. In this post we take a look at a recent ransomware called Venus Locker, discovered by @demonslay335.

Ransomware name: VenusLocker
MD5: 8675FFB697AD944748E0E24AC1A962CE
File Type: 32 Bit .NET EXE

Venus_Locker_Note

Behavioral analysis:

Upon execution Venus Locker creates U2FsdGVKX1DKeR.vluni in C:\Users\current user\ and the ReadMe.txt file on the current user desktop.

Procdot2

hidden_vluni

Venus Locker uses the file U2FsdGVKX1DKeR.vluni as an indicator that system is already infected.

Network Communication:

Venus Locker does communicate with a command and control server located at https: // 158 .255. 5.153 in order to report a new victim and pass along generated data (user ID and key) . This ransomware also collects intelligence about the victim’s machine using the ip-api.com service and uses the SendInfo function to pass it to the command and control server.

victim_info

nw_traffic

geo_loc

Venus Locker using ip-api.com to find the external IP of the a new victim system.

geoloc2

It is sending the USERID and key to its “secret server”:

send_ID_Key

userid_key

HEX_Key

This malware does not use any protection layer (FUD/crypter) to try to help evade detection and make analysis more difficult. Strings can be used to gather information and details about preformed actions, to assist with analysis.

strings2

Encryption:

As usual, symmetric cryptography is used to encrypt files’ content, and asymmetric – to encrypt the AES key.

Venus Locker comes with an embedded AES-256 key (BGORMkj & v = u1X0O2hOybNdRvZb9SGGnm) and an RSA-2048 public key. That embedded AES key is used only as a failsafe, if the application cannot connect to it’s Command And Control server.

If the Command and Control server is available, instead of the hardcoded one, a randomly generated AES key is used to encrypt targeted content. Then, the embedded public RSA key is used to encrypt the random key prior to sending it to the server (via the SendKey function).

(https://en.wikipedia.org/wiki/RSA_(cryptosystem)

(https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)

As noted in the File_Encryption function, if targeted content is part of the FullCryptExtension list, extension will be “.Venusf” else it will be “Venusp” (0x200 or 512) where the first or 512 bytes in total are targeted.

File_Encryption

AES-256:

AES_ENcrypt_Function

public string AESKeyEncryptWithRSA(string pwd)
{
RSACryptoServiceProvider provider = new RSACryptoServiceProvider(0x800);
provider.FromXmlString("<RSAKeyValue><Modulus>laQ/Ndkbwswz2zvMG4MaRAt7/t/1krRdDHURawFCEUiqMbkmwY9MKxmq1TFC6dpLNt2cj6sezKg9c38YaBRg43BF5PaHtZW4Og+jP9W9jDOsZtG1z2f7jbT4njqdRAMe7LtZbUAMJ2zCtjbBmUd7BVSnjkhUZt9m2rConNIBC4ndOPQl16RQK8aHPQlnH5pkCOpBUqlsxM2TDnRKuT369W5efwEMfnWCf96ZhL+5T0N2nBVrCT1S3+wwIRSfajzp1FNe1CNWr8BcTGXKgKGgz/xCkuk3QFGCufw1fMyQi/dUZ2dROhNKfpRCl9v2yN2iXqdVjXapWnpDVGaIP8zTeQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>");
byte[] bytes = Encoding.UTF8.GetBytes(pwd);
return Convert.ToBase64String(provider.Encrypt(bytes, true));
}

send_ID_Key

 

magnified_extensions

FullCryptExtensions:

full_encrypt

Excluded folders:

Program Files, Program Files (x86), Windows, Python27, Python34, AliWangWang, Avira, wamp, Avira, 360, ATI, Google, Intel, Internet Explorer, Kaspersky Lab, Microsoft Bing Pinyin, Microsoft Chart Controls, Microsoft Games, Microsoft Office, Microsoft.NET, MicrosoftBAF, MSBuild, QQMailPlugin, Realtek, Skype, Reference Assemblies, Tencent, USB Camera2, WinRAR, Windows Sidebar, Windows Portable Devices, Windows Photo Viewer, Windows NT, Windows Media Player, Windows Mail, NVIDIA Corporation, Adobe, IObit, AVAST Software, CCleaner, AVG, Mozilla Firefox, VirtualDJ, TeamViewer, ICQ, java, Yahoo!

Venus Locker also gets the drive names of all logical drives via DriveInfo.GetDrives:

magnified_get_drives_types

Venus Locker is currently requesting $100 US Dollars from victims and gives a 72 hour window for payment or threatens to delete the victims private key.

ReadMe

Conclusion:

Venus Locker is not by any means as sophisticated as Cerber, Petya, Mischa or Locky ransomeware but does it really have to be to achieve its objective? There is currently no decryptor available for Venus Locker EXCEPT if the hardcoded key was used.

Malwarebytes Anti-Malware detects Venus Locker as does Malwarebytes Anti-Ransomware, furthermore Malwarebytes Anti-Malware Malicious Website Protection blocks the malicious IP for the command and control of this sample.