Cybersecurity company Trend Micro is raising the alarm on a new ransomware family called Agenda, which has been used in attacks on organizations in Asia and Africa.
Written in the Golang (Go) cross-platform programming language, the threat has the ability to reboot systems in safe mode and to stop server-specific processes and services.
Agenda targets Windows-based systems and has been used in attacks against healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand.
More importantly, Trend Micro says the observed samples have been customized for each victim, with the requested ransom amount being different for each victim as well – it ranges between $50,000 and $800,000.
“Every ransomware sample was customized for the intended victim. Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files,” Trend Micro notes.
The cybersecurity firm also discovered Agenda-related dark web forum posts by a user named ‘Qilin’ and believes that the threat actor might be offering the ransomware to affiliates looking to customize payloads with victim details, including IDs, RSA keys, and the processes and services to be killed before encryption.
Agenda supports several command-line arguments, builds a runtime configuration to define its behavior, removes shadow volume copies, terminates various antivirus processes and services, and creates an auto-start entry pointing at a copy of itself.
Moreover, the ransomware changes the default user’s password and then enables automatic login using the modified credentials. It reboots the machine in safe mode and starts encrypting data upon reboot.
As part of one attack, the adversary used a public-facing Citrix server for initial compromise, likely via a valid account, and used the server to access the victim’s network. The ransomware sample that was deployed two days later was configured with valid and privileged accounts.
The adversary also used leaked credentials to connect to Active Directory via the remote desktop protocol (RDP), and installed scanning tools such as Nmap.exe and Nping.exe, to map the network. It also created a Group Policy Object (GPO) and deployed ransomware on all machines.
“The ransomware also takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services, and ensures persistence by injecting a DLL into svchost.exe,” Trend Micro notes.
The cybersecurity firm has identified similarities between Agenda and well-known ransomware families, including Black Basta, Black Matter, and REvil (aka Sodinokibi).
Specifically, Agenda’s payment site and the user verification implemented on its Tor site resemble those of Black Basta and Black Matter, while the ability to change Windows passwords and reboot systems in safe mode is similar to Black Basta and REvil.
Related: Ransomware, Malware-as-a-Service Dominate Threat Landscape
Related: Nations Vow to Combat Ransomware at US-Led Summit
Related: Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust