VenusLocker targets Windows OS and its distribution method is currently unknown. It encrypts files using AES-256, appends .Venusf to encrypted file names, and drops a ransom note named Readme.txt. In addition to encrypting files, it collects system information from the infected machine and sends it to its C2 server. An additional indicator of infection is the presence of the file named U2FsdGVKX1DKeR.vluni located in C:\Users\current user\. VenusLocker demands a ransom payment of 100 USD in the form of Bitcoin.
UPDATE 2/22/2017: A new version, dubbed Trump Locker, targets Windows OS and its distribution method is currently unknown. Its installation file is named TrumpLocker.exe and, once launched, it appends .TrumpLockerf to the end of some encrypted files and .theTrumpLockerp to the end of others. It drops a ransom note named What happen to my files.txt onto the victim’s desktop. The ransom demand for Trump Locker is 0.145 Bitcoin.
UPDATE 12/21/2017: Researchers have determined that the hacking group behind the VenusLocker ransomware variant has changed tactics and is now running a campaign designed to distribute malware that mines Monero cryptocurrency.
- Malwarebytes provides more information about VenusLocker here.
- The NJCCIC is not currently aware of any free decryption tool available for VenusLocker.