Agenda is a new strain of Golang ransomware specifically targeting healthcare and education organizations in Indonesia, Thailand, South Africa, and Saudi Arabia.
Discovered by Trend Micro researchers, Agenda ransomware can reboot compromised systems in safe mode and can attempt to prevent multiple server-specific processes and services from running. Furthermore, the ransomware has numerous modes to run and can be customized for each victim. The samples Trend Micro collected include unique company IDs and leaked account details.
Agenda Ransomware: Technical Specifications
Malware written in Go (Golang language) is becoming more common in the threat landscape. It should be noted that Go programs are standalone and cross-platform, which means that they will execute properly even without a Go interpreter installed on the system. Furthermore, the language has the capability to compile the necessary libraries statically, making security analysis much harder.
All collected Agenda samples were 64-bit PE [Portable Executable] files written in Go, and specifically targeting Windows systems. The investigation revealed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.
The researchers believe that Qilin, the threat group behind Agenda ransomware, offers “affiliates options to customize configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption,” as per the report. The demanded ransom amount also varied from company to company, ranging from US$50,000 to US$800,000.
Agenda Shares Similarities with Other Ransomware Families
According to the report, Agenda shares similarities with the Black Basta, Black Matter, and REvil ransomware. Regarding payment sites and the implementation of user verification via a Tor site, the ransomware is reminiscent of Black Basta and Black Matter. With REvil, the ransomware shares the functionality of changing Windows passwords and rebooting in sage mode via a particular command.