Following the footsteps of RaaS groups such as BlackCat, Hive, and RansomExx, Agenda group has developed the Rust variant of its ransomware.

Rust variant functionality

Trend Micro researchers detected and analyzed the new variant that is equipped with several enhancements, such as the use of intermittent encryption and support for multiple platforms.
  • For execution, the new sample requires a password (in this case AgendaPass) to be passed as an argument.
  • After entering a password, it executes and runs its malicious routine starting with the termination of various processes and services.
  • It appends the extension .MmXReVIxLV to encrypted files and displays activity logs on the command prompt, including the encrypted file name and the elapsed time. 
  • Further, it drops its ransom note on every directory it encrypts. 

The password for logging in to the support chat site of the ransomware group is the same as the password used to execute the ransomware.

Updates and changes

In the Rust-variant, detected as Ransom.Win32.AGENDA.THIAFBB, the group has customized previous ransomware binaries modules/functions for the intended victim.
  • In this variant, the group has added step flags (which were not present in the old variant) on its configurations for intermittent encryption for faster encryption and detection evasion.
  • It accepts only three arguments (unlike the old one, that accepted 10) and contains hard-coded configuration inside its binaries. 
  • Also, it has removed the credentials of the victim from the configuration, which were present in the Golang variant.
  • It disables the User Account Control service, resulting in the inability to run other applications with administrative privileges.

Attack targets

While Agenda’s Golang variant was targeting healthcare and education sectors in Thailand and Indonesia, the new variant has targeted manufacturing and IT sectors in different countries, having a combined revenue that surpasses $550 million. 
In the past month, the group has posted numerous companies on its leak site with claims to breach the servers of these companies. It threatened them to publish their files.


With Agenda’s new variant, its operators are putting a lot of effort to make it challenging to analyze and lower the detection rate by antivirus engines. Thus, enterprises and organizations are recommended to take deploy the required security practices to safeguard their data and systems.
Cyware Publisher