New Ransomware Variant Aims at Critical Infrastructure
Agenda, the latest version of the rust variant of a ransomware strain, has been observed in the wild. Agenda is attributed to an operation named Qilin, a ransomware-as-a-service (RaaS) group that has recently been linked to a series of attacks primarily targeting manufacturing and IT industries globally.
Upon executing the malware, the Rust binary prompts an error requiring a password to be passed as an argument. This command-line feature was also implemented in the Golang version of the Agenda ransomware.
Passing the “—password” parameter in conjunction with a dummy password “AgendaPass,” the ransomware starts its malicious activity by terminating various processes and services.
Agenda expands on intermittent encryption by configuring parameters that are used to determine the percentage of file content to be encrypted. This method lets a cybercriminal encrypt faster and easily avoid detection. An analysis of the ransomware binary reveals that encrypted files are given the extension “MmXReVIxLV,” before proceeding to drop the ransom note in every directory.
Unlike past variants, the Rust version of the Agenda ransomware can terminate the Windows AppInfo process and disable User Account Control (UAC). Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.
Agenda is just another example of how new strands of ransomware are constantly being released in the wild. Are you protected from Agenda and other ransomware strands? Not sure? Let 2W Tech help.
2W Tech is a technology solutions provider specializing in solutions for the manufacturing industry. Let our team of IT Consultants evaluate your security solutions stack and ensure you are in the best position possible to protect against outside security threats and ransomware.