# A Deep-dive Analysis of VENOMOUS Ransomware **[blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/](https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/)** August 4, 2021 While conducting our routine Open-Source Intelligence (OSINT) research, the Cyble Research Labs came across ransomware known as VENOMOUS, which encrypts the user document files using AES 256 encryption and appends the extension of encrypted files as “.VENOMOUS”. Consequently, the ransomware demands that the victims pay ransom for a decryption tool to recover their data. Based on analysis by Cyble Research Labs, we have observed that the executable .exe file is a console-based application that requests for user input. In general, this behavior is not observed in stealthy ransomware. It is likely that after compromising the infrastructure, the Threat Actors (TAs) deploys the ransomware manually. To compromise the infrastructure, TAs leverage various techniques such as exploiting the vulnerable assets exposed on the Internet. The VENOMOUS ransomware group has given the following tor website details in their ransom note hxxp://3udp4kspxiirvxop[.]onion/. We have shown the complete execution flow of the VENOMOUS ransomware in figure 1. Figure 1 Execution Flow ## Technical Analysis ----- We found that the malware is a console-based x64 architecture executable written in Python during our static analysis. Refer to Figure 2. Figure 2 Malware Payload Static Information After encrypting the files, the ransomware payload drops the ransom note named “SORRY-FOR_FILES.txt”, as shown in Figure 3._ Figure 3 Ransom Note ----- In the above ransom note, the TAs have given a Telegram support ID _“hxxps://t[.]me/venomous_support” with the victim’s unique ID. The attackers ask the victims to contact_ them and pay the ransom amount in Bitcoin (BTC) to get the decryptor program. Upon execution, the ransomware payload checks if config file is present. Refer to Figure 4. If the config is present, the malware gets the unique ID from the config file and asks the users to enter the key to encrypt the files. If config file is not present, the malware creates a new config file, obtains the unique ID and then asks for the key. Optionally, if the TAs do not want to use the same unique ID, the malware creates a new config file having a unique ID and asks users to enter the key to encrypt the data. Figure 4 Asking for Key to Encrypt Files After execution, the malware encrypts the files and appends the extension as “.venomnous” Refer to Figure 5. Figure 5 Encrypted Files After encrypting the files on the victim’s machine, the malware adds an Initialization Vector (IV) in the encrypted file, which is unique for each file, as shown in Figure 6. Figure 6 IV Added After Encryption The ransomware then attempts to kill the mssql, MySQL, SQLiserver processes, as shown in Figure 7. ----- Figure 7 Modification of Services Since the malware payload has been developed in Python, we tried to extract the source code from the executable. Refer to Figure 8. Figure 8 Extracting Source Code from Executable After extracting the source code from the malware payload, we found encoded Python files. We observed that the file containing the complete source code is “sqli-servere“, so we appended its extension to .pyc and tried to decompile it, as shown in Figure 9. ----- Figure 9 Extracted Encoded Source Code While conducting the decompilation process, we inserted 16 bytes of magic values as “55 0D 0D 0A 00 _00 00 00 92 D4 5F 5F 86 2E 00 00” to the file. Refer to Figure 10._ Figure 10 Inserting 16 Bytes of Magic Values After appending the file, we were able to decompile the Python source code successfully, as shown in Figure 11. Figure 11 Decoded Python Source Code ### Code Analysis The below source code demonstrates the ransomware payload checking whether the config file is present. Then, it will obtain the unique ID and requests the encryption key as input from the user. Refer to Figure 12. Figure 12 Payload Asks for Unique ID for Encryption ----- The below source code demonstrates that the ransomware is excluding certain folders and files from encryption. Figure 13 Malware Excludes Directories and Files from Encryption The source code shown here demonstrates that the ransomware is trying to kill the mssql, MySQL, _SQLi processes, to encrypt databases._ Figure 14 Payload is Tries to Kill MySQL, MySQL, and sqli Applications ----- While analyzing the Python code, we found that the ransomware uses Advanced Encryption Standard (AES) algorithms to encrypt the files. The IV is generated for each file and is used during the encryption process. Figure 15 Malware Payload is Using AES Algorithms to Encrypt the Files The below source code demonstrates that after encrypting the files, the malware will drop a ransom note named “SORRY-FOR-FILES.txt” in various places on the victim’s machine. Refer to Figure 16. ----- Figure 16 Drops Ransom Note The below source code demonstrates that after completing encryption activities, the malware terminates its processes. Figure 17 Payload is Trying to Kill Its Process The threat actors have given their TOR website in the ransom note – **hxxp://3udp4kspxiirvxop[.]onion/ .** [In this website, they have mentioned email ID venomous.files@tutanota[.]com and Telegram ID](http://10.10.0.46/mailto:venomous.files@tutanota%5B.%5Dcom) **hxxps://t[.]me/venomous_support to communicate with the victims for demanding the ransom as** shown in Figure 18. ----- Figure 18 Ransomware Tor Website ## Conclusion Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by these TAs. Victims of ransomware risk losing their valuable data due to such attacks, which leads to financial loss and loss of productivity. Since malware payload is a console-based application and the key value from the user, generally, this behavior is not present in the typical ransomware. We suspect that this ransomware has been developed for collaborating with affiliates. Cyble Research Labs is continuously monitoring VENOMOUS’s extortion campaign, and we will keep our readers up to date with new information. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below: Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without verifying their authenticity. Conduct regular backup practices and keep those backups offline or in a separate network. ----- ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1190](https://attack.mitre.org/techniques/T1190/) Exploit Public-Facing Application **DefenseEvasion** [T1112](https://attack.mitre.org/techniques/T1112) [T1027](https://attack.mitre.org/techniques/T1027) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) **Discovery** [T1083](https://attack.mitre.org/techniques/T1083) [T1135](https://attack.mitre.org/techniques/T1135) **Impact** [T1486](https://attack.mitre.org/techniques/T1486/) [T1490](https://attack.mitre.org/techniques/T1490/) [Modify Registry](https://attack.mitre.org/techniques/T1112) [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) Impair Defences: Disable or Modify Tools [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) [Network Share Discovery](https://attack.mitre.org/techniques/T1135) Data Encrypted for Impact Inhibit System Recovery ## Indicators of Compromise (IoCs): **Indicators** **Indicator** **type** **Description** 4fb7ed41b7b482bc52c5a2c113b86911d86ef3d1ba1a4651a189b4bbb1901fa6 SHA256 HASH hxxp://3udp4kspxiirvxop[.]onion/ URL URL hxxps://t[.]me/venomous_support Telegram ID ## About Us TA Contact [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/) cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [www.cyble.com.](https://cyble.com/) -----