Agenda (Ransomware) – Malware

Overview

Agenda ransomware, first spotted in August 2022, is written in Go and has been used primarily to target healthcare and education organizations in Africa and Asia. The ransomware has some customization options, which include changing the filename extensions of encrypted files and the list of processes and services to terminate.

Targets

Agenda ransomware has been used primarily to target healthcare and education organizations in Africa and Asia.

Techniques Used

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages).

Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below.

Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note.
As part of its initial routine, Agenda determines if the machine is running in safe mode. If it detects that the machine is running in safe mode, it terminates execution.

The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services.

After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself.

Changing user passwords and rebooting in safe mode

Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot.

To begin, Agenda lists all local users found on the device and then checks which one is set as the default user. Upon finding the default user, Agenda changes the user’s password. Upon changing the default user’s password and enabling automatic login, Agenda reboots the victim’s machine in safe mode. The ransomware also reboots the machine in normal mode after the encryption.

Impersonation of legitimate accounts

Another feature of Agenda is its ability to abuse local account credentials to execute the ransomware binary, using the embedded login credentials in its runtime configuration.

Agenda begins the user impersonation by parsing the accounts in the runtime configuration and then separating them into username, domain, and password. It will use this data to attempt logging a user onto the local computer via the API LogonUserW.

Agenda then proceeds to generate a random port number, which it will use in the execution of the ransomware binary through the API CreateProcessAsUserW in conjunction with the command-line argument -alter.

Allowing network sharing

Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation.

The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.

Encryption algorithm

Agenda uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key. To do so, it first generates the key and initialization vector (IV) that it will use for encryption by using the function generateKye, and then uses the API rand_read().

With this randomly generated key, Agenda proceeds to use AES-256 to encrypt target files. Lastly, it encrypts the key using RSA-2048 through the embedded public key from the runtime configuration.

After successful encryption, Agenda renames the encrypted files by appending the company ID indicated in the runtime configuration. It then drops the ransom note {company_id}-RECOVER-README.txt in each encrypted directory.

Process injection

Agenda drops pwndll.dll, detected as Trojan.Win64.AGENDA.SVT, in the Public folder. The file pwndll.dll is a patched DLL from the legitimate DLL WICloader.dll written in C, not Go. Agenda injects this DLL into svchost.exe to allow continuous execution of the ransomware binary.

Significant Malware Campaigns

• Agenda ransomware is used primarily to target healthcare and education organizations. (September 2022)
• Agenda ransomware targets enterprises in Asia and Africa. (August 2022)
• Agenda ransomware’s activities included posting numerous companies on its leak site. (December 2022)

References:

• Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
• New Golang Ransomware Agenda Customizes Attacks
• Agenda Ransomware Uses Rust to Target More Vital Industries