Agenda New Golang Ransomware

199/2022
High
September 5, 2022
12:56 pm

Agenda is a new Golang-based ransomware detected in the wild targeting entities and enterprises in Asia, Africa, and the Middle East. Security researchers spotted this ransomware to be customized per victim.

Security researchers have spotted a new ransomware dupped “Agenda” that was customized for each victim, and it was written in the Go programming language, making security analysis much harder.

Agenda ransomware group customizes the binary payloads for each victim, including details such as RSA key, encryption conditions, encryption extension, login credentials, ransom note, and processes and services to kill before the data encryption. Also, the ransom amount requested is different per company.

Agenda Ransomware Characteristics:

The ransomware is a 64-bit Windows PE file written in the Go language.
Make use of vulnerable public-facing Citrix servers as an entry point.
The actors use RDP on Active Directory, leveraging leaked local accounts to execute the ransomware binary.
Drops scanning tools, Nmap.exe and Nping.exe, for scanning the network.
Agenda deploys a detection evasion technique during encryption by changing the default user’s password and enables automatic login in safe mode with the new login credentials, and then proceeds with the encryption routine upon reboot.
The ransomware can compromise the entire network and its shared drivers.
Terminates numerous processes and services and ensures persistence by injecting a DLL into svchost.exe

It should be highlighted that security researchers noticed some similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware.

Vulnerabilities

Critix Security Vulnerabilities

Indicators of Compromise

Indicators of compromise will be shared with EG-FinCIRT’s Constituents

Mitigations

Sweep the environment for existing signs of the indicated IOCs and find out if there is a match.
Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
If remote access is required, use a VPN with vendor best practices, multi-factor authentication, password audits, and precise access control, in addition to actively monitoring remote accesses.
Users logged into remote access services should have limited privileges for the rest of the corporate network.
Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
Develop and implement a patching policy and baseline configuration standards for the operating system.
Conduct cybersecurity awareness training for End- users.
Ensure anti-virus software and associated files are up to date.
Setup an alert on events when the AV agent loses the connection with the main panel.
Backup your data using different backup destinations, including Tape drives.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Vulnerabilities

Indicators of Compromise

Mitigations

References