December 22, 2024

A new ransomware strain written in Golang dubbed “Agenda” has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand.

“Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run,” Trend Micro researchers said in an analysis last week.

Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process.

Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the ‘safe mode’ feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user’s password and enabling automatic login.

Upon successful encryption, Agenda renames the files with the configured extension, drops the ransom note in each encrypted directory, and reboots the machine in normal mode. The ransomware amount requested varies from company to company, ranging anywhere from $50,000 to $800,000.

Agenda, besides leveraging local account credentials to execute the ransomware binary, also comes with capabilities to infect an entire network and its shared drivers.

In one of the observed attack chains involving the ransomware, a public-facing Citrix server served as an entry point to ultimately deploy the ransomware in less than two days.

Trend Micro said it observed source code similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware families.

Black Basta, which first emerged in April 2022, is known to employ the double extortion technique of encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, while also threatening to post the stolen sensitive information should a victim choose not to pay the ransom.

As of last week, the Black Basta group has compromised over 75 organizations, according to Palo Alto Networks Unit 42, up from 50 in June 2022.

Agenda is also the fourth strain after BlackCat, Hive, and Luna to use the Go programming language. “Ransomware continues to evolve, developing more sophisticated methods and techniques to trap organizations,” the researchers said.