A new ransomware family, Agenda, has been discovered targeting healthcare and education firms in Asia and Africa. This ransomware is written in Go programming language and customized for each victim.

Diving into Agenda ransomware

Trend Micro discovered the ransomware and named it Agenda on the basis of the ransom notes and dark web posts by a user named Qilin. Qilin is believed to be connected with distributors of this ransomware.
  • The group has targeted education and healthcare entities in Thailand, Saudi Arabia, Indonesia, and South Africa. 
  • It can operate in multiple modes, reboot systems in safe mode, and stop server-specific processes and services.
  • In the collected samples, the ransomware was customized for each victim and had unique company IDs and leaked account information.

Qilin seems to offer affiliates options to customize configurable binary payloads for every victim, including details such as RSA key, company ID, processes, and services to terminate before the data encryption.

Links to other ransomware

Some similarities were observed between Agenda and other ransomware, including Black Matter, REvil, and Black Basta.
  • Agenda is similar to Black Basta/Black Matter in terms of the payment sites and the implementation of user verification on a Tor site. 
  • Further, Agenda, Black Basta, and REvil share the same command for changing Windows passwords and rebooting in safe mode.

Additional details

  • All observed samples were 64-bit Windows PE files written in Go and aimed at Windows-based systems.
  • The ransomware drops pwndll[.]dll, detected as Trojan.Win64.AGENDA.SVT, inside the Public folder. This is injected inside svchost.exe, which allows a persistent execution of the ransomware.
  • The ransom amount demanded varies for every victim firm, ranging from $50,000 to $800,000.

Further, the ransomware leaked customer passwords, accounts, and unique company IDs used as extensions of locked files.


The Agenda ransomware is equipped with several sophisticated tactics, such as execution in safe mode, and a persistence mechanism using DLL injection, that today’s advanced ransomware groups already follow. Moreover, the way some of its features overlap suggests that it could be the handiwork of highly experienced cybercriminals.
Cyware Publisher