August 30, 2022

Researchers from Trend Micro have uncovered Agenda, a new ransomware strain written in Golang that is used in the wild to target health and education facilities in Indonesia, Saudi Arabia, South Africa and Thailand.

A threat actor identified as Qilin is advertising the ransomware on the dark web. Qilin claims the ransomware offers affiliates the ability to customize the binary payloads for each victim.

This feature allows the operators to decide on the ransom note, the encryption extension and the list of processes and services that must be terminated before the encryption process begins.

The ransomware also has techniques for detection evasion. The techniques use the ‘safe mode’ feature of a device to continue with its file encryption undetected, but not before the password of the user is changed and an automatic login is enabled.

Agenda also has a unique feature that makes it possible to infect an entire network and its shared drivers.

After successful encryption Agenda renames the files with the configured extension, places the ransom note in each encrypted directory and restarts the computer in normal mode.

Although the ransom demanded by the attackers varies from company to company, the ransom demanded is estimated at US$50,000 to US$800,000.

The sources for this piece include an article in TheHackerNews.