While conducting our routine Open-Source Intelligence (OSINT) research, the Cyble Research Labs came across ransomware known as VENOMOUS, which encrypts the user document files using AES 256 encryption and appends the extension of encrypted files as “.VENOMOUS”. Consequently, the ransomware demands that the victims pay ransom for a decryption tool to recover their data.
Based on analysis by Cyble Research Labs, we have observed that the executable .exe file is a console-based application that requests for user input. In general, this behavior is not observed in stealthy ransomware. It is likely that after compromising the infrastructure, the Threat Actors (TAs) deploys the ransomware manually.
To compromise the infrastructure, TAs leverage various techniques such as exploiting the vulnerable assets exposed on the Internet.
The VENOMOUS ransomware group has given the following tor website details in their ransom note hxxp://3udp4kspxiirvxop[.]onion/.
We have shown the complete execution flow of the VENOMOUS ransomware in figure 1.
Technical Analysis
We found that the malware is a console-based x64 architecture executable written in Python during our static analysis. Refer to Figure 2.
After encrypting the files, the ransomware payload drops the ransom note named “SORRY-FOR-FILES.txt”, as shown in Figure 3.
In the above ransom note, the TAs have given a Telegram support ID “hxxps://t[.]me/venomous_support” with the victim’s unique ID. The attackers ask the victims to contact them and pay the ransom amount in Bitcoin (BTC) to get the decryptor program.
Upon execution, the ransomware payload checks if config file is present. Refer to Figure 4.
- If the config is present, the malware gets the unique ID from the config file and asks the users to enter the key to encrypt the files.
- If config file is not present, the malware creates a new config file, obtains the unique ID and then asks for the key.
- Optionally, if the TAs do not want to use the same unique ID, the malware creates a new config file having a unique ID and asks users to enter the key to encrypt the data.
After execution, the malware encrypts the files and appends the extension as “.venomnous” Refer to Figure 5.
After encrypting the files on the victim’s machine, the malware adds an Initialization Vector (IV) in the encrypted file, which is unique for each file, as shown in Figure 6.
The ransomware then attempts to kill the mssql, MySQL, SQLiserver processes, as shown in Figure 7.
Since the malware payload has been developed in Python, we tried to extract the source code from the executable. Refer to Figure 8.
After extracting the source code from the malware payload, we found encoded Python files. We observed that the file containing the complete source code is “sqli-servere“, so we appended its extension to .pyc and tried to decompile it, as shown in Figure 9.
While conducting the decompilation process, we inserted 16 bytes of magic values as “55 0D 0D 0A 00 00 00 00 92 D4 5F 5F 86 2E 00 00” to the file. Refer to Figure 10.
After appending the file, we were able to decompile the Python source code successfully, as shown in Figure 11.
Code Analysis
The below source code demonstrates the ransomware payload checking whether the config file is present. Then, it will obtain the unique ID and requests the encryption key as input from the user. Refer to Figure 12.
The below source code demonstrates that the ransomware is excluding certain folders and files from encryption.
The source code shown here demonstrates that the ransomware is trying to kill the mssql, MySQL, SQLi processes, to encrypt databases.
While analyzing the Python code, we found that the ransomware uses Advanced Encryption Standard (AES) algorithms to encrypt the files. The IV is generated for each file and is used during the encryption process.
The below source code demonstrates that after encrypting the files, the malware will drop a ransom note named “SORRY-FOR-FILES.txt” in various places on the victim’s machine. Refer to Figure 16.
The below source code demonstrates that after completing encryption activities, the malware terminates its processes.
The threat actors have given their TOR website in the ransom note – hxxp://3udp4kspxiirvxop[.]onion/ .
In this website, they have mentioned email ID venomous.files@tutanota[.]com and Telegram ID hxxps://t[.]me/venomous_support to communicate with the victims for demanding the ransom as shown in Figure 18.
Conclusion
Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by these TAs. Victims of ransomware risk losing their valuable data due to such attacks, which leads to financial loss and loss of productivity.Â
Since malware payload is a console-based application and the key value from the user, generally, this behavior is not present in the typical ransomware. We suspect that this ransomware has been developed for collaborating with affiliates.
Cyble Research Labs is continuously monitoring VENOMOUS’s extortion campaign, and we will keep our readers up to date with new information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.   Â
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  Â
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     Â
- Refrain from opening untrusted links and email attachments without verifying their authenticity.Â
- Conduct regular backup practices and keep those backups offline or in a separate network.Â
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access   | T1190   | Exploit Public-Facing Application |
| Defense Evasion   | T1112   T1027  T1562.001   | Modify Registry   Obfuscated Files or Information  Impair Defences: Disable or Modify Tools  |
| Discovery   | T1083   T1135  | File and Directory Discovery  Network Share Discovery  |
| Impact   | T1486   T1490   | Data Encrypted for Impact   Inhibit System Recovery   |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 4fb7ed41b7b482bc52c5a2c113b86911d86ef3d1ba1a4651a189b4bbb1901fa6 | SHA256 | HASH |
| hxxp://3udp4kspxiirvxop[.]onion/ | URL | URL |
| hxxps://t[.]me/venomous_support | Telegram ID | TA Contact |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 
