Researchers warn of a new ransomware family: a novel strain called Agenda sails in, targeting healthcare and education entities. Similar to another emerging piece written in Go language (aka Golang) dubbed BianLian, this cross-platform threat is gaining popularity with affiliates for its versatility and easy-to-tweak elements of the campaign, including encryption extension, personalized ransomware note (with the demanded ransom ranging from $50,000 to $800,000), and the embedded option for ransomware operators to choose which processes on the infected device to kill prior to encryption.
2022 has so far been a year for ransomware to thrive. While the amount of financially-motivated attacks is surging, defenders need to gear up against emerging threats. For a swift detection of Agenda ransomware attacks, leverage a set of detections released by seasoned Threat Bounty Program developers Nattatorn Chuensangarun and Wirapong Petshagun:
The rules above can be applied across 26 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. To ensure enhanced visibility into related threats, the detection is aligned with the MITRE ATT&CK® framework.
SOC Prime delivers industry-leading solutions to drive preeminent cyber defense powered by a community of 600+ Threat Bounty Program researchers and Threat Hunters. Cyber defenders can instantly explore the comprehensive threat context behind the Agenda ransomware campaign by clicking the Explore Detections button and reach insightful contextual information, including MITRE ATT&CK references, CTI links, and executable binaries linked to the Sigma rules that accompany your search for related threats – all within the Cyber Threats Search Engine.
The in-depth research published by Trend Micro’s security analysts reveals that the studied pieces of targeted ransomware were 64-bit Windows PE files tailored to inflict maximum damage upon the chosen victims. The attacker also installed scanning programs like Nmap.exe and Nping.exe to map the network and used stolen credentials to access Active Directory using the RDP.
Researchers discovered that Agenda disables automatic login using the old login credentials and changes the default user’s password in order to remain stealthy. The strain uses techniques popular with other ransomware organizations, for instance, REvil or Black Basta, to reboot the victim’s computer in safe mode before encrypting files. The threat is designed for compromising the entire network, with adversaries using the double extortion technique to inflict more pressure on a victim to pay the ransom.
Seeking new ways to boost your cyber defense capabilities while saving hours on threat detection research and content development? Join SOC Prime’s Detection as Code platform to reach the most up-to-date detection content enriched with cyber threat intelligence and aligned with MITRE ATT&CK® to boost your cybersecurity effectiveness.