A newly emerged malicious entity called Agenda ransomware has been seen targeting Africa and Asia’s education and healthcare sectors. The latest analysis revealed that the new ransomware is coded in the Go programming language (Golang) and modified for every attack.
The ransomware was called Agenda after the ransom notes and dark web posts published by its authors named it “agenda”. The author of this newly emerged entity is believed to be connected to a ransomware distributor.
Moreover, the threat actors deploying the Agenda ransomware have targeted education and healthcare institutions in several countries, such as Indonesia, Thailand, South Africa, and Saudi Arabia.
The ransomware can also perform multiple run-on modes, reboot systems in safe mode, and halt server processes and services. Investigations found that it was modified for each victim, with different company IDs and leaked account information in the collected samples.
The distributor offers affiliates choices for customising configurable binary payloads for every victim, including information such as company ID, processes, RSA key, and services to terminate before data encryption.
The Agenda ransomware has something in common with numerous strains from different groups.
Cybersecurity analysts had seen several overlaps in Agenda ransomware’s features to other strains such as REvil, Black Basta, and Black Matter.
The analysts first noticed that Black Basta and Black matter have identical payment sites as Agenda. In addition, both ransomware strains have user verification on their Tor sites.
Furthermore, Agenda, REvil, and Black Basta share similar commands for altering Windows passwords and restarting in safe mode.
The observed sample from all this ransomware sports 64-bit Windows PE files code in Go and is aimed at Windows-based systems. However, Agenda ransomware drops pwndll[.]dll. Detected by researchers as Trojan[.]Win64[.]AGENDA[.]SVT within the Public folder. This payload is injected into the svchost[.]exe, enabling a persistent ransomware execution.
Researchers also noticed that the ransom demanded from every victim varies from $50,000 to $800,000. If a ransom is not provided, the operators of Agenda ransomware commonly leak customer passwords, accounts, and company IDs.
The newly discovered Agenda ransomware is equipped with numerous sophisticated strategies, such as operation in safe mode and persistence features using DLL injection. Several experts claimed that the similarities shown by Agenda to other ransomware strains show that experienced threat actors create it.
