Related Families: Black Basta, Black Matter, REvil
Verticals Targeted: healthcare, education
Executive Summary
Trend Micro recently reported on Agenda Ransomware, a tailored ransomware written in GoLang.
Key Takeaways
- Agenda Ransomware is written in GoLang and targets Windows systems.
- Each Agenda attack appears to be tailored to the intended target.
- Agenda Ransomware victims include healthcare and education entities in Africa, the Middle East, and Asia.
Agenda Ransomware is a newly discovered ransomware family written in GoLang. The samples analyzed were 64-bit portable executable files targeting Windows systems. According to Trend Micro, the ransomware variant they analyzed was explicitly tailored to target one of their customers, as evidenced by the use of unique company IDs and leaked account details. Known targets include healthcare and education entities based in Indonesia, Saudi Arabia, South Africa, and Thailand.
In the incident Trend Micro investigated, the Agenda Ransomware infection chain began with the threat actor using a public-facing Citrix server as the point of entry, likely using a valid account to access the server and move laterally. The threat actor leveraged leaked accounts to use RDP on Active Directory. The threat actor then dropped Nmap.exe and Nping.exe scanning tools and created a group policy object (GPO) prior to deploying the ransomware. The time to ransom was less than two days.
The advantage of the ransomware being written in GoLang is that it is cross-platform and standalone. The executables will execute even without a Go interpreter installed since Go statically compiles necessary libraries. Agenda Ransowmare accepts multiple command line arguments, allowing the threat actors to define the desired functionality. It then builds a runtime configuration to define its behavior, such as the public RSA key used, encryption conditions, a list of processes and services to terminate, the extension to append to encrypted files, login credentials used, and ransom note contents.
Agenda Ransomware uses several methods to attempt to thwart detection. It determines if the machine is running in Safe Mode and terminates execution if Safe Mode is detected. It also removes shadow volume copies and terminates specific processes and services defined in its runtime configuration. When executed, Agenda creates a run once autostart entry pointing to a copy of itself located in the Public folder. Agenda changes the default user password and enables automatic login with new credentials. It then reboots the victim machine in Safe Mode and begins encryption upon reboot. Agenda uses AES-256 for encryption and RSA-2048 to encrypt the generated key.
Agenda has the option to abuse local account credentials to execute the ransomware, using embedded login credentials defined in its runtime configuration. Additionally, Agenda is capable of compromising the entire network and shared drivers, not just the initial victim machine.
Trend Micro noted Agenda Ransomware shares similarities with the Black Basta, Black Matter, and REvil ransomware families. Trend Micro researchers found evidence of Agenda Ransomware being offered by an individual or group known as Quilin.
IOCs
PolySwarm has multiple samples of Agenda Ransomware.
E4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342
28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
You can use the following CLI command to search for all Agenda Ransomware samples in our portal:
$ polyswarm link list -f Agenda
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports