We use cookies to improve your experience. Do you accept?

Skip to main content

The Agenda Saga: Exploring Ransomware's Newest Frontier

The Agenda Saga: Exploring Ransomware's Newest Frontier - Featured Image

Research and Analysis May 3, 2024

First observed: 2018

Aliases: Agenda

Targeted Sectors: Manufacturing, IT, Education, Government Agencies, Finance, Healthcare, Legal, Telecom

Targeted Countries: Australia, Brazil, Canada, Colombia, France, Netherlands, Serbia, Japan, the U.S., the U.K, Indonesia, Saudi Arabia, South Africa, Thailand

Motivation: Financial gain, Data Stealing, Encryption

**Common Infection Vectors: **Phishing, Spearphishing, RDPs, Malicious hyperlinks

Introduction

Among the myriad ransomware strains operating in the wild, Agenda (also known as Qilin) has emerged as a notable threat in the murky depths of the cyber world. Crafted in Rust and Go programming languages, Agenda ransomware operates as a RaaS affiliate program and provides encryptors for both Windows and ESXi platforms. It exhibits versatility and exemplary security evasion traits. Distinguished by its sophisticated tactics and widespread impact, the ransomware has targeted several critical sectors globally, including but not limited to education and healthcare.

Recently, Agenda has intensified its attack efforts and enhanced its arsenal. This research article delves into the tactics employed by threat actors, as well as illuminating its affiliate program and the geographic spread of its targets. Additionally, it offers prevention tips and IOCs.

Tactics, Techniques, and Procedures (TTPs)

Traditionally, Agenda was crafted in the Go language. Around the fall of 2022, it made a strategic shift in its modus operandi by launching a Rust-based variant detected under the moniker Ransom.Win32.AGENDA.THIAFBB.

In March, Trend Micro came across revised iterations of the ransomware, particularly its Rust variant. The findings indicated that the Agenda ransomware group had begun leveraging Remote Monitoring and Management (RMM) tools, alongside Cobalt Strike, to deploy the ransomware binary. Additionally, the Agenda ransomware executable can propagate via PsExec and SecureShell, while exploiting various vulnerable SYS drivers for evading detection.

Now, let’s understand the modus operandi of the ransomware group.

Initial infection

Agenda ransomware employs a variety of infection vectors to infiltrate and compromise its targets.

  • The ransomware uses malicious hyperlinks to circumvent defenses, often through infected websites, leading to automatic malware installation.

  • Phishing emails containing a malicious attachment or link is another way the ransomware group tricks a victim into downloading and installing the payload on their system.

  • Agenda can also be observed utilizing RDP-based attacks by abusing security flaws in RDP software to gain unauthorized access to a victim's system.

  • It may propagate surreptitiously through malicious files downloaded and installed on a victim's system.

Penetration and Persistence

Agenda ransomware reboots systems in safe mode to evade detection and hinder victim system access. It halts server-specific processes and services to maximize impact. It terminates antivirus processes and services to avoid detection. Agenda ransomware deletes shadow volume copies to prevent system restoration.

For persistence, Agenda ransomware establishes an auto-start entry upon system boot-up and employs a DLL-based persistence mechanism to maintain activity on a victim's system. Then, it alters the default user password and enables automatic login using the modified credentials. The ransomware utilizes local accounts for spoofed user logins, executing the ransomware binary and encrypting additional machines upon successful login.

Encryption

The Agenda ransomware employs AES-256 encryption to encrypt files and RSA-2048 to encrypt the generated key, appending them with a random file extension like ".MmXReVIxLV" post-encryption. The group uses an intermittent encryption method for faster encryption and detection evasion. Besides, each ransom note dropped by the ransomware is customized for its intended victim.

Agenda operators offer customization options, including changing filename extensions and terminating specific processes and services. It supports several encryption modes configured through the encryption setting, displaying the different encryption modes available: skip-step, percent, and fast.

(Note: No known public decryptor for Agenda/Qilin ransomware is available, presently.)

Other tactics

  • Debugging environment: Developers utilize debugging environments to analyze and resolve software issues. Agenda ransomware can detect if it's running in a debug environment, helping it evade analysis and detection efforts.

  • WMI framework: The ransomware leverages the Windows Management Instrumentation (WMI) framework, commonly utilized by legitimate applications. However, ransomware can exploit WMI to execute commands, gather data, or enact changes to the system, posing a significant threat.

Affiliation and Affiliates

Some similarities were observed between Agend and other ransomware groups, including Black Matter, REvil, and Black Basta. It shares similarities with Black Basta/Black Matter in terms of the payment sites and the implementation of user verification on a Tor site. Further, Agenda, Black Basta, and REvil share the same command for changing Windows passwords and rebooting in safe mode.

Working as RaaS

Group-IB’s analysis of Agenda ransomware unearthed the inner workings of the group’s RaaS affiliate program. According to it, Agenda’s admin panel is divided into sections, such as Targets, Blogs, Stuffers, News, Payments, and FAQs to manage and coordinate its network of affiliates. Additionally, affiliates would get their administrative panel to manage the attacks more effectively. They would earn 80% of payments totaling $3 million or less, and 85% for payments exceeding $3 million.

Victimology

Agenda ransomware does not discriminate regarding its targets, casting a wide net across various sectors and industries. It targets critical sectors worldwide, including healthcare, finance, manufacturing, education, governments, and legal services.

Moreover, its nefarious reach extends across geographical boundaries. While no specific region is spared from the threat, certain countries have experienced a higher prevalence of attacks. For instance, the group initially distributed the malware in Indonesia, Saudi Arabia, South Africa, and Thailand, with a focus only on healthcare and education organizations.

With gradual updates, it spread its wings in other countries, including the U.S., the U.K, Germany, France, Australia, Canada, and Japan. A post made by an Agenda recruiter, written in Russian, claimed that the group “does not work in CIS countries.”

Attack keynotes

  • Between July 2022 and May 2023, Agenda posted 12 victims on their data leak site. Spanning various countries, the victims belonged to Australia, Brazil, Canada (2 victims), Colombia, France, Netherlands, Serbia, the U.K, Japan, and the U.S. (2 victims).

  • On November 28, 2023, the Agenda ransomware group took credit for a cyberattack targeting leading global automotive parts supplier Yanfeng Automotive Interiors.

  • In February this year, it added Upper Marion Township, Etairos Health, Kevin Leeds, and CPA and Commonwealth Sign to its list of victims from the U.S.

  • Victims from March include International Electro Mechanical Services (the U.S.), Felda Global Ventures Holdings Berhad (Malaysia), Bright Wires (Saudi Arabia), PT Sarana Multi Infrastruktur (Indonesia), Casa Santiveri (Spain), and The Bug Issue (U.K).

Remediation and Prevention

Agenda ransomware poses a significant threat to organizations across industries, with its affiliate program continuously expanding and equipping members with advanced tools. Organizations across verticals need to recognize the importance of regular backups, installing the latest security patches, and monitoring for unusual activities.

Even more importantly, you can adopt a proactive threat detection and mitigation approach with Cyware’s threat intelligence operationalization solutions. Cyware Intel Exchange is a comprehensive threat intelligence platform that helps organizations mitigate ransomware threats proactively. By ingesting and analyzing threat intel from multiple sources, Intel Exchange helps prioritize responses to the most pertinent threats including ransomware campaigns. Through actionable intelligence, Intel Exchange enables proactive threat analysis force multiplying threat detection, allowing organizations to strengthen their security posture and prevent ransomware attacks before they can cause significant harm.

The Bottom Line

The Agenda ransomware’s global footprint underscores the need for international collaboration and collective defense against such threats. By understanding its origins, aliases, targeted sectors, countries, motivation, and common infection vectors, cybersecurity professionals can better prepare and defend against this insidious malware, safeguarding digital assets and the integrity of affected entities. Modern threat intel platform solutions go well beyond these capabilities while offering better scalability, operational efficiency, faster IR, and more. Hence, platforms like Cyware are essential for mitigating the risk posed by the Agenda/Qilin ransomware and similar threats in the ever-expanding digital landscape.

Indicator Of Compromise (IOCs)

MD5

14dec91fdcaab96f51382a43adb84016 ****

334fd98ab462edc1274fecdb89fb0791 ****

54d801a914165802062aea8e5fdae516

6a93e618e467ed13f98819172e24fffa ****

817f4bf0b4d0fc327fdfc21efacddaee

A7ab0969bf6641cd0c7228ae95f6d217

417ad60624345ef85e648038e18902ab

a7ab0969bf6641cd0c7228ae95f6d217

SHA1

002971b6d178698bf7930b5b89c201750d80a07e

14177730443c70aefeeda3162b324fdedf9cf9e0

5f99214d68883e91f586e85d8db96deda5ca54af

8917af3878fa49fe4ec930230b881ff0ae8d19c9

a85d9d2a3913011cd282abc7d9711b2346c23899

d34550ebc2bee47c708c8e048eb78881468e6bca

E3496a341c96d77c0ef9bdeec333dd98e2215527

E18e6f975ef8fce97790fb8ae583caad1ec7d5b3

SHA25

e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

55e070a86b3ef488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1

37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6

555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4

fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039

76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464 28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

93d0cc8492511c663f17544b3bf14eab8ccb492909536e79ef652921d809bb1a ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342

F837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

Detection Names

Avast Win64:Trojan-gen

Sophos Mal/Generic-S

Emsisoft Trojan.Ransom.Babuk.F (B)

Kaspersky Trojan.Win32.DelShad.ivd

Malwarebytes Generic.Malware/Suspicious

Microsoft Ransom:Win32/Babuk.SIB!MTB

Tor Communication

ygo44wtbprhx2kvibtgjj3rrjo3f4fccuhuavy6vnvtrvihpruqdjuad[.]onion

pmbvfcoawmpkpqtcrv3fmtqyvxufbpiidrseseypvxrmlbh727aoqmyd[.]onion

ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion

Related Threat Briefings