Agenda Ransomware

A new ransomware strain written in Golang dubbed "Agenda" has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand.

"Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," Trend Micro researchers said in an analysis last week.

Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process.

Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enabling automatic login.

Upon successful encryption, Agenda renames the files with the configured extension, drops the ransom note in each encrypted directory, and reboots the machine in normal mode. The ransomware amount requested varies from company to company, ranging anywhere from $50,000 to $800,000.

Agenda Ransomware

Agenda, besides leveraging local account credentials to execute the ransomware binary, also comes with capabilities to infect an entire network and its shared drivers. In one of the observed attack chains involving the ransomware, a public-facing Citrix server served as an entry point to deploy the ransomware in less than two days after a period of initial reconnaissance.

Trend Micro said it observed source code similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware families.

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Black Basta, which first emerged in April 2022, is known to employ the double extortion technique of encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, while also threatening to post the stolen sensitive information should a victim choose not to pay the ransom.

Agenda Ransomware

As of last week, the Black Basta group has compromised over 75 organizations, according to Palo Alto Networks Unit 42, up from 50 in June 2022.

Agenda is also among the crop of ransomware families such as BlackCat, Hive, and Luna to use newer programming languages like Go and Rust. "Ransomware continues to evolve, developing more sophisticated methods and techniques to trap organizations," the researchers said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.