VenusLocker targets Windows OS and its distribution method is currently unknown. It encrypts files using AES-256, appends .Venusf to encrypted file names, and drops a ransom note named Readme.txt. In addition to encrypting files, it collects system information from the infected machine and sends it to its C2 server. An additional indicator of infection is the presence of the file named U2FsdGVKX1DKeR.vluni located in C:\Users\current user\. VenusLocker demands a ransom payment of 100 USD in the form of Bitcoin.
UPDATE 2/22/2017: A new version, dubbed Trump Locker, targets Windows OS and its distribution method is currently unknown. Its installation file is named TrumpLocker.exe and, once launched, it appends .TrumpLockerf to the end of some encrypted files and .theTrumpLockerp to the end of others. It drops a ransom note named What happen to my files.txt onto the victim’s desktop. The ransom demand for Trump Locker is 0.145 Bitcoin.
- Malwarebytes provides more information about VenusLocker here.
- The NJCCIC is not currently aware of any free decryption tool available for VenusLocker.