Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Agenda (Ransomware) – Malware

April 3, 2024
Reading Time: 47 mins read
in Malware
Agenda (Ransomware) – Malware

Agenda Ransomware

Type of Malware

Ransomware

Country of Origin

Unknown

Date of initial activity

2022

Targeted Countries

Africa and Asia

Motivation

Financial Gain

Attack vectors

Phishing

Targeted systems

Windows

Associated Groups

Agenda ransomware group

Variants

Ransom.Win32.AGENDA.THIAFBB.

Overview

Agenda ransomware, first spotted in August 2022, is written in Go and has been used primarily to target healthcare and education organizations in Africa and Asia. The ransomware has some customization options, which include changing the filename extensions of encrypted files and the list of processes and services to terminate.

Targets

Agenda ransomware has been used primarily to target healthcare and education organizations in Africa and Asia.

Techniques Used

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages). Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below. Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note. As part of its initial routine, Agenda determines if the machine is running in safe mode. If it detects that the machine is running in safe mode, it terminates execution. The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services. After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself. Changing user passwords and rebooting in safe mode Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot. To begin, Agenda lists all local users found on the device and then checks which one is set as the default user. Upon finding the default user, Agenda changes the user’s password. Upon changing the default user’s password and enabling automatic login, Agenda reboots the victim’s machine in safe mode. The ransomware also reboots the machine in normal mode after the encryption. Impersonation of legitimate accounts Another feature of Agenda is its ability to abuse local account credentials to execute the ransomware binary, using the embedded login credentials in its runtime configuration. Agenda begins the user impersonation by parsing the accounts in the runtime configuration and then separating them into username, domain, and password. It will use this data to attempt logging a user onto the local computer via the API LogonUserW. Agenda then proceeds to generate a random port number, which it will use in the execution of the ransomware binary through the API CreateProcessAsUserW in conjunction with the command-line argument -alter. Allowing network sharing Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation. The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd. Encryption algorithm Agenda uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key. To do so, it first generates the key and initialization vector (IV) that it will use for encryption by using the function generateKye, and then uses the API rand_read(). With this randomly generated key, Agenda proceeds to use AES-256 to encrypt target files. Lastly, it encrypts the key using RSA-2048 through the embedded public key from the runtime configuration. After successful encryption, Agenda renames the encrypted files by appending the company ID indicated in the runtime configuration. It then drops the ransom note {company_id}-RECOVER-README.txt in each encrypted directory. Process injection Agenda drops pwndll.dll, detected as Trojan.Win64.AGENDA.SVT, in the Public folder. The file pwndll.dll is a patched DLL from the legitimate DLL WICloader.dll written in C, not Go. Agenda injects this DLL into svchost.exe to allow continuous execution of the ransomware binary.

Significant Malware Campaigns

  • Agenda ransomware is used primarily to target healthcare and education organizations. (September 2022)
  • Agenda ransomware targets enterprises in Asia and Africa. (August 2022)
  • Agenda ransomware’s activities included posting numerous companies on its leak site. (December 2022)
References:
  • Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
  • New Golang Ransomware Agenda Customizes Attacks
  • Agenda Ransomware Uses Rust to Target More Vital Industries
 
Tags: AfricaAgendaAgenda ransomware groupAsiaCybersecurityencryptionGo programsMalwarePhishingRansomwareWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial