{
	"id": "c71cb43a-9c20-4eb3-93c3-fb5a5494443a",
	"created_at": "2026-04-06T00:08:16.436799Z",
	"updated_at": "2026-04-10T03:22:11.907034Z",
	"deleted_at": null,
	"sha1_hash": "d7dd7b6ffc2a347b73677d3d161b0e70eb806434",
	"title": "Cyble - A Deep-dive Analysis Of VENOMOUS Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1725862,
	"plain_text": "Cyble - A Deep-dive Analysis Of VENOMOUS Ransomware\r\nPublished: 2021-08-04 · Archived: 2026-04-05 17:01:35 UTC\r\nWhile conducting our routine Open-Source Intelligence (OSINT) research, the Cyble Research Labs came across\r\nransomware known as VENOMOUS, which encrypts the user document files using AES 256 encryption and\r\nappends the extension of encrypted files as “.VENOMOUS”. Consequently, the ransomware demands that the\r\nvictims pay ransom for a decryption tool to recover their data.\r\nBased on analysis by Cyble Research Labs, we have observed that the executable .exe file is a console-based\r\napplication that requests for user input. In general, this behavior is not observed in stealthy ransomware. It is\r\nlikely that after compromising the infrastructure, the Threat Actors (TAs) deploys the ransomware manually.\r\nTo compromise the infrastructure, TAs leverage various techniques such as exploiting the vulnerable assets\r\nexposed on the Internet.\r\nWorld's Best AI-Native Threat Intelligence\r\nThe VENOMOUS ransomware group has given the following tor website details in their ransom\r\nnote hxxp://3udp4kspxiirvxop[.]onion/.\r\nWe have shown the complete execution flow of the VENOMOUS ransomware in figure 1.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 1 of 10\n\nFigure 1 Execution Flow\r\nTechnical Analysis\r\nWe found that the malware is a console-based x64 architecture executable written in Python during our static\r\nanalysis. Refer to Figure 2.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 2 of 10\n\nFigure 2 Malware Payload Static Information\r\nAfter encrypting the files, the ransomware payload drops the ransom note named “SORRY-FOR-FILES.txt”, as\r\nshown in Figure 3.\r\nFigure 3 Ransom Note\r\nIn the above ransom note, the TAs have given a Telegram support ID “hxxps://t[.]me/venomous_support” with the\r\nvictim’s unique ID. The attackers ask the victims to contact them and pay the ransom amount in Bitcoin (BTC) to\r\nget the decryptor program.\r\nUpon execution, the ransomware payload checks if config file is present. Refer to Figure 4.\r\nIf the config is present, the malware gets the unique ID from the config file and asks the users to enter the\r\nkey to encrypt the files.\r\nIf config file is not present, the malware creates a new config file, obtains the unique ID and then asks for\r\nthe key.\r\nOptionally, if the TAs do not want to use the same unique ID, the malware creates a new config file having\r\na unique ID and asks users to enter the key to encrypt the data.\r\nFigure 4 Asking for Key to Encrypt Files\r\nAfter execution, the malware encrypts the files and appends the extension as “.venomnous” Refer to Figure 5.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 3 of 10\n\nFigure 5 Encrypted Files\r\nAfter encrypting the files on the victim’s machine, the malware adds an Initialization Vector (IV) in the encrypted\r\nfile, which is unique for each file, as shown in Figure 6.\r\nFigure 6 IV Added After Encryption\r\nThe ransomware then attempts to kill the mssql, MySQL, SQLiserver processes, as shown in Figure 7.\r\nFigure 7 Modification of Services\r\nSince the malware payload has been developed in Python, we tried to extract the source code from the executable.\r\nRefer to Figure 8.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 4 of 10\n\nFigure 8 Extracting Source Code from Executable\r\nAfter extracting the source code from the malware payload, we found encoded Python files. We observed that the\r\nfile containing the complete source code is “sqli-servere“, so we appended its extension to .pyc and tried to\r\ndecompile it, as shown in Figure 9.\r\nFigure 9 Extracted Encoded Source Code\r\nWhile conducting the decompilation process, we inserted 16 bytes of magic values as “55 0D 0D 0A 00 00 00 00\r\n92 D4 5F 5F 86 2E 00 00” to the file. Refer to Figure 10.\r\nFigure 10 Inserting 16 Bytes of Magic Values\r\nAfter appending the file, we were able to decompile the Python source code successfully, as shown in Figure 11.\r\nFigure 11 Decoded Python Source Code\r\nCode Analysis\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 5 of 10\n\nThe below source code demonstrates the ransomware payload checking whether the config file is present. Then, it\r\nwill obtain the unique ID and requests the encryption key as input from the user. Refer to Figure 12.\r\nFigure 12 Payload Asks for Unique ID for Encryption\r\nThe below source code demonstrates that the ransomware is excluding certain folders and files from encryption.\r\nFigure 13 Malware Excludes Directories and Files from Encryption\r\nThe source code shown here demonstrates that the ransomware is trying to kill the mssql, MySQL, SQLi processes,\r\nto encrypt databases.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 6 of 10\n\nFigure 14 Payload is Tries to Kill MySQL, MySQL, and sqli Applications\r\nWhile analyzing the Python code, we found that the ransomware uses Advanced Encryption Standard (AES)\r\nalgorithms to encrypt the files. The IV is generated for each file and is used during the encryption process.\r\nFigure 15 Malware Payload is Using AES Algorithms to Encrypt the Files\r\nThe below source code demonstrates that after encrypting the files, the malware will drop a ransom note named\r\n“SORRY-FOR-FILES.txt” in various places on the victim’s machine. Refer to Figure 16.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 7 of 10\n\nFigure 16 Drops Ransom Note\r\nThe below source code demonstrates that after completing encryption activities, the malware terminates its\r\nprocesses.\r\nFigure 17 Payload is Trying to Kill Its Process\r\nThe threat actors have given their TOR website in the ransom note – hxxp://3udp4kspxiirvxop[.]onion/ .\r\nIn this website, they have mentioned email ID venomous.files@tutanota[.]com and Telegram ID\r\nhxxps://t[.]me/venomous_support to communicate with the victims for demanding the ransom as shown in\r\nFigure 18.\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 8 of 10\n\nFigure 18 Ransomware Tor Website\r\nConclusion\r\nRansomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of\r\nthe techniques used by these TAs. Victims of ransomware risk losing their valuable data due to such attacks, which\r\nleads to financial loss and loss of productivity. \r\nSince malware payload is a console-based application and the key value from the user, generally, this behavior is\r\nnot present in the typical ransomware. We suspect that this ransomware has been developed for collaborating with\r\naffiliates.\r\nCyble Research Labs is continuously monitoring VENOMOUS’s extortion campaign, and we will keep our\r\nreaders up to date with new information.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow these suggestions given below: \r\nUse strong passwords and enforce multi-factor authentication wherever possible.    \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.   \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.      \r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 9 of 10\n\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access    T1190    Exploit Public-Facing Application\r\nDefense Evasion   \r\nT1112  \r\nT1027  \r\nT1562.001   \r\nModify Registry   \r\nObfuscated Files or Information  \r\nImpair Defences: Disable or Modify Tools \r\nDiscovery   \r\nT1083   \r\nT1135  \r\nFile and Directory Discovery  \r\nNetwork Share Discovery  \r\nImpact   \r\nT1486   \r\nT1490   \r\nData Encrypted for Impact   \r\nInhibit System Recovery   \r\nIndicators of Compromise (IoCs):  \r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n4fb7ed41b7b482bc52c5a2c113b86911d86ef3d1ba1a4651a189b4bbb1901fa6 SHA256 HASH\r\nhxxp://3udp4kspxiirvxop[.]onion/ URL URL\r\nhxxps://t[.]me/venomous_support\r\nTelegram\r\nID\r\nTA Contact\r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com. \r\nSource: https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nhttps://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/"
	],
	"report_names": [
		"a-deep-dive-analysis-of-venomous-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7dd7b6ffc2a347b73677d3d161b0e70eb806434.pdf",
		"text": "https://archive.orkl.eu/d7dd7b6ffc2a347b73677d3d161b0e70eb806434.txt",
		"img": "https://archive.orkl.eu/d7dd7b6ffc2a347b73677d3d161b0e70eb806434.jpg"
	}
}