A new strain of ransomware written in Golang dubbed “Agendawas spotted in the wild, targeting health and education entities in Indonesia, Saudi Arabia, South Africa and Thailand.
“Agenda can reboot systems in Safe Mode, attempts to stop many server-specific processes and services, and has multiple execution modes,” Trend Micro researchers said in a review last week.
Qilin, the threat actor advertising the ransomware on the dark web, reportedly provides affiliates with options to tailor binary payloads to each victim, allowing operators to decide the ransom note, encryption extension, as well as than the list of processes and services. finish before starting the encryption process.
Additionally, the ransomware incorporates detection evasion techniques by taking advantage of a device’s “safe mode” feature to continue its file-encrypting routine unnoticed, but not before changing the password. default user and enable automatic login.
After successful encryption, Agenda renames the files with the configured extension, removes the ransom note from each encrypted directory, and restarts the machine in normal mode. The amount of ransomware demanded varies from company to company, ranging from $50,000 to $800,000.
Agenda, in addition to leveraging local account credentials to run the ransomware binary, also comes with capabilities to infect an entire network and its shared drivers.
In one of the observed attack chains involving the ransomware, a publicly accessible Citrix server served as an entry point to ultimately deploy the ransomware in less than two days.
Trend Micro said it observed source code similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware families.
Black Basta, who first appeared in April 2022, is known to use the double extortion technique of encrypting files on targeted organizations’ systems and demanding a ransom to make decryption possible, while also threatening to publish the stolen sensitive information if a victim chooses not to do so. pay the ransom.
Since last week, the Black Basta group has compromised more than 75 organizations, according to Palo Alto Networks Unit 42, up from 50 in June 2022.
Agenda is also the fourth strain after BlackCat, Hive, and Luna to use the Go programming language. “Ransomware continues to evolve, developing more sophisticated methods and techniques to trick organizations,” the researchers said.