A 105% surge in ransomware attacks in 2021 triggered global concern. If HelloKitty, BlackCat, Lockbit, Kaseya, and others were the culprits behind the worldwide disruptions last year, the latest addition to the ransomware family, the Agenda ransomware, represents how new threats constantly evolve. Agenda has been wreaking havoc in Asia and Africa, where ransom demands are inching close to $800,000.
Agenda: the latest addition to the ransomware family
Agenda Ransomware is a double extortion malware allegedly spread by the threat actor Quilin. Agenda is written in Golang – a popular language among cyber attackers.
How does Agenda ransomware work?
The entry point of Agenda is reported to be a public-facing Citrix server. Agenda ransomware is particularly dangerous because it can reboot systems in safe mode, cease many server-related processes and services, and run on many modes. The ransomware is reported to target Windows-based systems.
How Agenda carries out the attack
Agenda ransomware's programming language GO and its ability to integrate all necessary libraries and leverage the safe mode help it pass security checks unnoticed. It also exploits local accounts and logs as a spoofed user to execute the ransomware binary and encrypt the rest of the systems on the server, sometimes terminating them.
Here’s how Agenda ransomware carries out its attacks:
Step 1: Agenda checks the string ‘safe boot’ to find out if the system is running in safe mode.
Step 2: It terminates the execution if the machine runs in safe mode.
Step 3: It removes shadow volume copies and terminates some specific processes and services indicated in Agenda's runtime configuration, including some antivirus-related ones.
Step 4: During encryption, Agenda deploys a detection evasion technique that allows the ransomware to change the default user password and log in with new credentials.
Step 5: To initiate the attack, Agenda reboots the victim's system in safe mode and encrypts it. It then lists all local users of the device and identifies the default user. After the encryption, it can also reboot the victim's system in normal mode.
Step 6: Agenda exploits a local account to gain access through the login credentials embedded in the system's runtime configuration.
Step 7: After the ransomware gains access to the login credentials, it successfully changes it. Agenda then generates a random port number that it uses for executing the ransomware binary.
Step 8: Agenda can map and list network drives. If there are shared devices, the ransomware can compromise an entire network and all its devices.
Step 9: Through a randomly generated key, Agenda encrypts the target files, and once done, it encrypts the key.
Step 10: After encryption, Agenda appends the company ID indicated in the runtime configuration to rename the encrypted files. It then drops the ransom note in each encrypted directory.
Agenda’s similarities with others in the ransomware family
Agenda's source code is similar to ransomware families like Black Basta, BlackMatter, and REvil.
Like Black Basta, Agenda is double extortion ransomware. It follows in the footsteps of REvil to launch an attack by rebooting the system in safe mode and changing the Windows password. Further, just like BlackCat, Hive, and Luna, it is written in Golang programming language, which makes it difficult to detect and analyze.
How to prevent an Agenda attack
As ransomware attacks rise, the methods to execute them are becoming increasingly sophisticated. In Agenda’s case, the ransomware takes advantage of the safe mode, can evade detection, and exploits local accounts unnoticed. But with preventive measures, companies can mitigate the risk of cyberattacks.
Here are some security best practices that companies can follow:
or multifactor authentication prevents attackers' lateral movement within a system.
Following the 3-2-1 rule
for backing up files means creating as many as three backup files in two different formats, among which one of the copies gets stored in a separate location.
Regular security patches
of systems and applications help prevent malware from abusing any vulnerabilities.
Agenda ransomware comes with new and improved features that make it more dangerous than its predecessors. It uses the safe mode to evade detection and changes the Windows password to launch an attack. To prevent such sophisticated attacks, it is essential to follow security best practices like using MFA and backing up files regularly.
At Packetlabs, we offer ransomware penetration testing for companies across industries to gauge the robustness of their security infrastructure. Contact us for a free, no-obligation quote.
Ransomware Penetration Testing
Ransomware penetration testing evaluates the preparedness and risk of a ransomware attack. In addition to a complete analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), and a technical assessment of security controls, a full penetration test is conducted to measure the robustness of your systems.