Security News > 2022 > August > New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim

A new ransomware strain written in Golang dubbed "Agenda" has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand.

Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process.

The ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enabling automatic login.

Agenda, besides leveraging local account credentials to execute the ransomware binary, also comes with capabilities to infect an entire network and its shared drivers.

In one of the observed attack chains involving the ransomware, a public-facing Citrix server served as an entry point to ultimately deploy the ransomware in less than two days.

Trend Micro said it observed source code similarities between Agenda and the Black Basta, Black Matter, and REvil ransomware families.

News URL

https://thehackernews.com/2022/08/new-golang-based-agenda-ransomware-can.html