A new ransomware strain written in Golang dubbed
“Agenda” has been spotted in the wild, targeting
healthcare and education entities in Indonesia, Saudi Arabia, South
Africa, and Thailand.
“Agenda can reboot systems in safe mode, attempts to stop many
server-specific processes and services, and has multiple modes to
run,” Trend Micro researchers said[1]
in an analysis last week.
Qilin, the threat actor advertising the ransomware on the dark
web, is said to provide affiliates with options to tailor the
binary payloads for each victim, enabling the operators to decide
the ransom note, encryption extension, as well as the list of
processes and services to terminate before commencing the
encryption process.
Additionally, the ransomware incorporates techniques for
detection evasion by taking advantage of the ‘safe mode’ feature of
a device to proceed with its file encryption routine unnoticed, but
not before changing the default user’s password and enabling
automatic login.
Upon successful encryption, Agenda renames the files with the
configured extension, drops the ransom note in each encrypted
directory, and reboots the machine in normal mode. The ransomware
amount requested varies from company to company, ranging anywhere
from $50,000 to $800,000.
Agenda, besides leveraging local account credentials to execute
the ransomware binary, also comes with capabilities to infect an
entire network and its shared drivers.
In one of the observed attack chains involving the ransomware, a
public-facing Citrix server served as an entry point to ultimately
deploy the ransomware in less than two days.
Trend Micro said it observed source code similarities between
Agenda and the Black Basta[2], Black Matter[3], and REvil[4]
(aka Sodinokibi) ransomware families.
Black Basta, which first emerged[5]
in April 2022, is known to employ the double extortion technique of
encrypting files on the systems of targeted organizations and
demanding ransom to make decryption possible, while also
threatening to post the stolen sensitive information should a
victim choose not to pay the ransom.
As of last week, the Black Basta group has compromised over 75
organizations, according to Palo Alto Networks Unit 42[6], up from 50 in June
2022.
Agenda is also the fourth strain after BlackCat[7], Hive[8], and Luna[9]
to use the Go programming language. “Ransomware continues to
evolve, developing more sophisticated methods and techniques to
trap organizations,” the researchers said.
References
Read more https://thehackernews.com/2022/08/new-golang-based-agenda-ransomware-can.html