Share Blog Post
First observed: 2018
Aliases: Agenda
Targeted Sectors: Manufacturing, IT, Education, Government Agencies, Finance, Healthcare, Legal, Telecom
Targeted Countries: Australia, Brazil, Canada, Colombia, France, Netherlands, Serbia, Japan, the U.S., the U.K, Indonesia, Saudi Arabia, South Africa, Thailand
Motivation: Financial gain, Data Stealing, Encryption
Common Infection Vectors: Phishing, Spearphishing, RDPs, Malicious hyperlinks
Introduction
Among the myriad ransomware strains operating in the wild, Agenda (also known as Qilin) has emerged as a notable threat in the murky depths of the cyber world. Crafted in Rust and Go programming languages, Agenda ransomware operates as a RaaS affiliate program and provides encryptors for both Windows and ESXi platforms. It exhibits versatility and exemplary security evasion traits. Distinguished by its sophisticated tactics and widespread impact, the ransomware has targeted several critical sectors globally, including but not limited to education and healthcare.
Recently, Agenda has intensified its attack efforts and enhanced its arsenal. This research article delves into the tactics employed by threat actors, as well as illuminating its affiliate program and the geographic spread of its targets. Additionally, it offers prevention tips and IOCs.
Tactics, Techniques, and Procedures (TTPs)
Traditionally, Agenda was crafted in the Go language. Around the fall of 2022, it made a strategic shift in its modus operandi by launching a Rust-based variant detected under the moniker Ransom.Win32.AGENDA.THIAFBB.
In March, Trend Micro came across revised iterations of the ransomware, particularly its Rust variant. The findings indicated that the Agenda ransomware group had begun leveraging Remote Monitoring and Management (RMM) tools, alongside Cobalt Strike, to deploy the ransomware binary. Additionally, the Agenda ransomware executable can propagate via PsExec and SecureShell, while exploiting various vulnerable SYS drivers for evading detection.
Now, let’s understand the modus operandi of the ransomware group.
Initial infection
Agenda ransomware employs a variety of infection vectors to infiltrate and compromise its targets.
- The ransomware uses malicious hyperlinks to circumvent defenses, often through infected websites, leading to automatic malware installation.
- Phishing emails containing a malicious attachment or link is another way the ransomware group tricks a victim into downloading and installing the payload on their system.
- Agenda can also be observed utilizing RDP-based attacks by abusing security flaws in RDP software to gain unauthorized access to a victim's system.
- It may propagate surreptitiously through malicious files downloaded and installed on a victim's system.
Penetration and Persistence
Agenda ransomware reboots systems in safe mode to evade detection and hinder victim system access. It halts server-specific processes and services to maximize impact. It terminates antivirus processes and services to avoid detection. Agenda ransomware deletes shadow volume copies to prevent system restoration.
For persistence, Agenda ransomware establishes an auto-start entry upon system boot-up and employs a DLL-based persistence mechanism to maintain activity on a victim's system. Then, it alters the default user password and enables automatic login using the modified credentials. The ransomware utilizes local accounts for spoofed user logins, executing the ransomware binary and encrypting additional machines upon successful login.
Encryption
The Agenda ransomware employs AES-256 encryption to encrypt files and RSA-2048 to encrypt the generated key, appending them with a random file extension like ".MmXReVIxLV" post-encryption. The group uses an intermittent encryption method for faster encryption and detection evasion. Besides, each ransom note dropped by the ransomware is customized for its intended victim.
Agenda operators offer customization options, including changing filename extensions and terminating specific processes and services. It supports several encryption modes configured through the encryption setting, displaying the different encryption modes available: skip-step, percent, and fast.
(Note: No known public decryptor for Agenda/Qilin ransomware is available, presently.)
Other tactics
- Debugging environment: Developers utilize debugging environments to analyze and resolve software issues. Agenda ransomware can detect if it's running in a debug environment, helping it evade analysis and detection efforts.
- WMI framework: The ransomware leverages the Windows Management Instrumentation (WMI) framework, commonly utilized by legitimate applications. However, ransomware can exploit WMI to execute commands, gather data, or enact changes to the system, posing a significant threat.
Affiliation and Affiliates
Some similarities were observed between Agend and other ransomware groups, including Black Matter, REvil, and Black Basta. It shares similarities with Black Basta/Black Matter in terms of the payment sites and the implementation of user verification on a Tor site. Further, Agenda, Black Basta, and REvil share the same command for changing Windows passwords and rebooting in safe mode.
Working as RaaS
Group-IB’s analysis of Agenda ransomware unearthed the inner workings of the group’s RaaS affiliate program. According to it, Agenda’s admin panel is divided into sections, such as Targets, Blogs, Stuffers, News, Payments, and FAQs to manage and coordinate its network of affiliates. Additionally, affiliates would get their administrative panel to manage the attacks more effectively. They would earn 80% of payments totaling $3 million or less, and 85% for payments exceeding $3 million.
Victimology
Agenda ransomware does not discriminate regarding its targets, casting a wide net across various sectors and industries. It targets critical sectors worldwide, including healthcare, finance, manufacturing, education, governments, and legal services.
Moreover, its nefarious reach extends across geographical boundaries. While no specific region is spared from the threat, certain countries have experienced a higher prevalence of attacks. For instance, the group initially distributed the malware in Indonesia, Saudi Arabia, South Africa, and Thailand, with a focus only on healthcare and education organizations.
With gradual updates, it spread its wings in other countries, including the U.S., the U.K, Germany, France, Australia, Canada, and Japan. A post made by an Agenda recruiter, written in Russian, claimed that the group “does not work in CIS countries.”
Attack keynotes
- Between July 2022 and May 2023, Agenda posted 12 victims on their data leak site. Spanning various countries, the victims belonged to Australia, Brazil, Canada (2 victims), Colombia, France, Netherlands, Serbia, the U.K, Japan, and the U.S. (2 victims).
- On November 28, 2023, the Agenda ransomware group took credit for a cyberattack targeting leading global automotive parts supplier Yanfeng Automotive Interiors.
- In February this year, it added Upper Marion Township, Etairos Health, Kevin Leeds, and CPA and Commonwealth Sign to its list of victims from the U.S.
- Victims from March include International Electro Mechanical Services (the U.S.), Felda Global Ventures Holdings Berhad (Malaysia), Bright Wires (Saudi Arabia), PT Sarana Multi Infrastruktur (Indonesia), Casa Santiveri (Spain), and The Bug Issue (U.K).
Remediation and Prevention
Agenda ransomware poses a significant threat to organizations across industries, with its affiliate program continuously expanding and equipping members with advanced tools. Organizations across verticals need to recognize the importance of regular backups, installing the latest security patches, and monitoring for unusual activities.
Even more importantly, you can adopt a proactive threat detection and mitigation approach with Cyware’s threat intelligence operationalization solutions. Cyware Intel Exchange is a comprehensive threat intelligence platform that helps organizations mitigate ransomware threats proactively. By ingesting and analyzing threat intel from multiple sources, Intel Exchange helps prioritize responses to the most pertinent threats including ransomware campaigns. Through actionable intelligence, Intel Exchange enables proactive threat analysis force multiplying threat detection, allowing organizations to strengthen their security posture and prevent ransomware attacks before they can cause significant harm.
The Bottom Line
The Agenda ransomware’s global footprint underscores the need for international collaboration and collective defense against such threats. By understanding its origins, aliases, targeted sectors, countries, motivation, and common infection vectors, cybersecurity professionals can better prepare and defend against this insidious malware, safeguarding digital assets and the integrity of affected entities. Modern threat intel platform solutions go well beyond these capabilities while offering better scalability, operational efficiency, faster IR, and more. Hence, platforms like Cyware are essential for mitigating the risk posed by the Agenda/Qilin ransomware and similar threats in the ever-expanding digital landscape.
Indicator Of Compromise (IOCs)
MD5
14dec91fdcaab96f51382a43adb84016
334fd98ab462edc1274fecdb89fb0791
54d801a914165802062aea8e5fdae516
6a93e618e467ed13f98819172e24fffa
817f4bf0b4d0fc327fdfc21efacddaee
A7ab0969bf6641cd0c7228ae95f6d217
417ad60624345ef85e648038e18902ab
a7ab0969bf6641cd0c7228ae95f6d217
SHA1
002971b6d178698bf7930b5b89c201750d80a07e
14177730443c70aefeeda3162b324fdedf9cf9e0
5f99214d68883e91f586e85d8db96deda5ca54af
8917af3878fa49fe4ec930230b881ff0ae8d19c9
a85d9d2a3913011cd282abc7d9711b2346c23899
d34550ebc2bee47c708c8e048eb78881468e6bca
E3496a341c96d77c0ef9bdeec333dd98e2215527
E18e6f975ef8fce97790fb8ae583caad1ec7d5b3
SHA25
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
55e070a86b3ef488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4
fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039
76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464 28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab
93d0cc8492511c663f17544b3bf14eab8ccb492909536e79ef652921d809bb1a ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342
F837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
Detection Names
Avast Win64:Trojan-gen
Sophos Mal/Generic-S
Emsisoft Trojan.Ransom.Babuk.F (B)
Kaspersky Trojan.Win32.DelShad.ivd
Malwarebytes Generic.Malware/Suspicious
Microsoft Ransom:Win32/Babuk.SIB!MTB
Tor Communication
ygo44wtbprhx2kvibtgjj3rrjo3f4fccuhuavy6vnvtrvihpruqdjuad[.]onion
pmbvfcoawmpkpqtcrv3fmtqyvxufbpiidrseseypvxrmlbh727aoqmyd[.]onion
ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion
Tags
Posted on: May 03, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
