Venus Locker in disguise

Venus Locker Ransomware reportedly disguises itself with the new .exe file name Trump Locker.

Threat ID:: CC-1228
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:
Published:: 2 March 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Venus Locker Ransomware reportedly disguises itself with the new .exe file name Trump Locker.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Windows all versions

Threat details

The distribution method used to deploy the ransomware is currently unknown; it is believed that the infection is initiated upon an end user manually launching an executable file with the naming convention ‘TrumpLocker.exe’. Trump Locker targets all popular file types including images, videos, documents and more.

Where Venus Locker and Trump Locker share similarities is that they both fully encrypt infected file types, while for other types it only encrypts the first 1024 bytes of each file. Similar to most ransomware variants, the ransom note is tied to a registry key so it automatically launches after each restart.

Remediation advice

To mitigate the risk of being infected with ransomware, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the “10 Steps To Cyber Security”. Blocking all emails containing the .exe extension. It should be noted that there are ways to bypass this such as utilising ZIP files that are password protected, or use of cloud services. To limit the damage caused by Ransomware and to enable data recovery: All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware. Multiple backups should be created including at least one off-network backup (e.g. to tape).

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the “10 Steps To Cyber Security”.
Blocking all emails containing the .exe extension. It should be noted that there are ways to bypass this such as utilising ZIP files that are password protected, or use of cloud services.

To limit the damage caused by Ransomware and to enable data recovery:

All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
Multiple backups should be created including at least one off-network backup (e.g. to tape).

Last edited: 17 February 2020 11:40 am