New Agenda Ransomware Appears in the Threat LandscapeSecurity Affairs

Trend Micro researchers warn of a new ransomware family called Agenda, which has been used in attacks against organizations in Asia and Africa.

Trend Micro researchers recently discovered a new targeted ransomware, tracked as Agenda, which was written in the Go programming language. The ransomware was used in a targeted attack against one of the company. Investigation of the incident revealed that the malicious actor was using a publicly accessible Citrix server as an entry point. He probably used a valid account to access this server and perform lateral movements inside the victim’s network.

The new ransomware family has been used in attacks that hit businesses in Asia and Africa. The name Agenda comes from dark web posts by a user named “Qilin”, who is likely linked to ransomware distributors, and through ransom notes.

Agenda ransomware can reboot systems in safe mode, attempt to stop many server-specific processes and services, and can run in multiple modes. The researchers noticed that the samples they analyzed were personalized for each victim, all of which included unique company identifiers and leaked account details.

The samples collected were 64-bit Windows PE (Portable Executable) files and were used to target health and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand.

“Each ransomware sample has been personalized for the intended victim. Our investigation showed that the samples contained leaked accounts, customer passwords and unique corporate identifiers used as encrypted file extensions. bed the report published by Trend Micro. “Additionally, the amount of ransom demanded is different per company, ranging from $50,000 to $800,000.”

The analysis published by Trend Micro details the commands supported by the ransomware, the malicious code is capable of

Agenda supports multiple command line arguments, builds a runtime configuration to define its behavior, deletes volume shadow copies via running vssadmin.exe remove shadows /all /quietterminates processes associated with anti-virus software and services and creates an autostart entry pointing to a copy of itself.

Experts have noticed that Agenda changes the default user password and enables auto-login with new login credentials to evade detection. Agenda reboots the victim’s machine into safe mode, then encrypts files on reboot, a technique adopted by other REvil ransomware gangs,

Threat author gained access via RDP to Active Directory using leaked accounts, then used scanning tools nmap.exe and Nping.exe to scan the network. Then they pushed the machine scheduled task from the group policy domain.

“This ransomware has techniques to evade detection by taking advantage of a device’s ‘safe mode’ feature to continue its encryption routine unnoticed. The ransomware also takes advantage of local accounts to log in as spoofing users and running the ransomware binary, further encrypting other machines if the login attempt is successful, it also terminates many processes and services and provides persistence by injecting a DLL into svchost.exe, Trend Micro concludes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Agenda ransomware)

Comments are closed.