Agenda Ransomware Attacking Critical Infrastructure

As of this year, many ransomware-as-a-service groups, notably Agenda Agenda (also known as Qilin), have developed versions of their ransomware in Rust. The Rust variant of Agenda, like its Go counterpart, has targeted important industries.

Trend Micro has observed that the Agenda ransomware has been posting information about a lot of businesses on its leaked site during the past month.

Threat actors threatened to leak these companies’ files in addition to claiming that they had hacked into their servers.

The businesses that the ransomware organisation lists on its leak site are based in many nations, primarily in the manufacturing and IT sectors, and their combined annual revenue exceeds US$550 million.

Targeting More Major Sectors with Agenda Ransomware Using Rust

“We found a sample of the Agenda ransomware written in Rust language and detected as Ransom.Win32.AGENDA.THIAFBB. Notably, the same ransomware, originally written in Go language, was known for targeting healthcare and education sectors in countries like Thailand and Indonesia”, Trend Micro researchers

A previous version of the ransomware, written in Go and customized for each victim, targeted healthcare and education sectors in countries like Indonesia, Saudi Arabia, South Africa, and Thailand.

The Rust variant has been observed employing intermittent encryption, which is a new strategy used by threat actors to evade detection and faster encryption.

The ransomware will start dropping its ransom letter onto each encrypted directory. The password required to run the ransomware will also be used as the password to access the ransomware group’s support chat website, as stated in its ransom note.

The Rust version of Agenda only accepts three arguments, in contrast to the Golang version’s ten arguments.

The Rust variant’s binaries also have a configuration that is hard-coded. Researchers say it also added the -n, -p, fast, skip, and step flags on its configurations. Particularly, these flags are used for intermittent encryption. 

Hence, by using a partial encryption technique based on the values of the flags, the ransomware can encrypt the victim’s files more quickly. Experts say this allows them to encrypt faster and avoid detections that heavily rely on read/write file operations.

Also, Agenda ransomware is also known to deploy customized ransomware for each victim, and we have seen that its Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.

Final Word

Threat actors continue to use ransomware as their preferred method of operation, reinforcing the need for businesses and organisations to rely on a multilayered approach to data security.

“Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines,” Trend Micro.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace