Agenda Ransomware Group | |
Other Names | Qilin, Water Galura, AgendaCrypt |
Location | Unknown |
Date of initial activity | 2022 |
Suspected attribution | Unknown |
Associated Groups | Unknown |
Motivation | Financial gain |
Associated tools | Agenda malware. Agenda ransomware group uses Remote Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment of the ransomware binary. As for the Agenda ransomware executable, it can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion. |
Active | Yes |
Overview
Common targets
Agenda Ransomware Group has been primarily United States, Argentina, Australia, and Thailand, and it has been targeting industries critical to the economy, such as finance, law, healthcare, and education.
Attack Vectors
Agenda targets its victims through phishing emails that contain malicious links to gain a foothold in the victim’s network and exfiltrate sensitive data.
How they operate
Agenda targets its victims through phishing emails that contain malicious links to gain a foothold in the victim’s network and exfiltrate sensitive data. Once Agenda completes initial access, they typically move laterally across the victim’s infrastructure, searching for essential data to encrypt.
During the encryption process, the actors place a ransom note in each infected directory of the system, which provides instructions on how to purchase the decryption key. They may also attempt to reboot systems in normal mode and stop server-specific processes to make it harder for the victim to recover their data.
If the ransomware operator is successful in encrypting a victim’s files, it uses a double extortion technique as a means to increase its potential revenue.
Significant Attacks
Agenda ransomware was used to target several industries, such as finance and law. Agenda ransomware detections increased beginning December 2023.
Agenda ransomware group uses Remote Monitoring and Management (RMM) tools, as well as Cobalt Strike for deployment of the ransomware binary.
Campaigns:
- Agenda continues infecting victims globally with the US, Argentina, Australia, and Thailand being among its top targets. (March 2024)
- Agenda ransomware targets healthcare and education sectors in countries like Thailand and Indonesia. (December 2022)
- Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network. (July 2023)
References:
