Ransomware - Venus

Venus
Aliases
Anigma
Goodgame
Goodgamer
Gooodgamer
Decryptor Available
No
Description

Researchers attribute Venus to Zeoticus and Zeoticus 2.0 because of the ransom notes and the use of the string "goodgamer" as a file marker, and "goodgame" as one of its file extensions. The similarities in the ransom notes are undeniable. They look identical and have the same formatting and extortion communication mediums. What's interesting is that Zeoticus and Zeoticus 2.0 used a combination of XChaCha20 to encrypt files and curve25519xsalsa20poly1305 to ensure the encryption key couldn't be recovered. Venus, on the other hand, uses a combination of AES to encrypt files and RSA to encrypt the AES key. Additionally, when Venus encrypts files, it changes the desktop icon of the encrypted file. Neither Zeoticus variant did that. So, it appears that Zeoticus and Venus are vastly different encryptors but created by the same threat actor. or it could be that the Zeoticus threat actor(s) acquired Venus from someone else.

Venus came after Zeoticus, which led to 2023Lock, and then TrinityLock. The latter two, also returning to the combinatory encryption algorithm of XChaCha20 and curve25519xsalsa20poly1305. This further suggests Venus was a different entity entirely. Further evidence of this is the methods of access to victim networks. Venus has been widely reported in the media for encrypting servers and other machines with RDP exposed to the Internet, no matter the port.

The Venus operators appeared on a hacking forum (RAMP) to elicit help from pen testers at one point, indicating Venus' operators could have run a Ransomware-as-a-Service model. The use of several different file extensions appended onto encrypting files and the large number of emails discovered support this.

Ransomware Type
Crypto-Ransomware
RaaS
First Seen
Last Seen
Lineage
Extortion Types
Blackmail
Direct Extortion
Amount
$5,000
1BTC($17,150)
1BTC($19,116)
1BTC($19,385)
1BTC($20,541)
1BTC($21,133)
1BTC($26,906)
Moyen
Identifiant
RAMP
Skype
Tox
Encryption
Type
Hybrid
Files
AES
Key
RSA
File Extension
<file name>.<file extension>.anigma
<file name>.<file extension>.goodgame
<file name>.<file extension>.venus
<file name>.<file extension>.Ywkfistef
Ransom Note Name
<random 20-character string>.jpg
README.html
README.txt
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
0dc0da0739b227a9dae83be93d1b232c645dbffc7499709ae05c4ffa1bf44000
2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
Industry Sector Pays Extortion Date Amount (USD)
IndividualUnknown $5,000
IndividualUnknown 1 BTC($19,116)
IndividualUnknown 1 BTC($19,385)
IndividualUnknown 1 BTC($20,541)
IndividualUnknown 1 BTC($21,133)
IndividualUnknown 1 BTC($17,150)
IndividualUnknown
IndividualUnknown 1 BTC($26,906)