The Agenda ransomware group, also known as Qilin and Water Galura, has intensified its global cyberattacks, targeting critical industries like finance and law across the United States, Argentina, Australia, and Thailand. However, a notable shift in their focus has emerged as they now set their sights on VMware vCenter and ESXi servers, marking a highly critical new target. First identified in 2022, Agenda has swiftly evolved its tactics, demonstrating a sophisticated understanding of cybersecurity vulnerabilities and exploiting them effectively.
According to Trend Micro, a cybersecurity firm closely monitoring Agenda’s activities, there has been a significant surge in attacks since December 2023, indicating an expansion of operations or increased effectiveness in reaching targets. The group’s modus operandi involves deploying ransomware binaries using Remote Monitoring and Management (RMM) tools and Cobalt Strike, enabling propagation through various means like PsExec and SecureShell. Notably, Agenda’s recent enhancements, including disabling sandbox detection and token impersonation, reflect its evolving sophistication in evading detection.
A particularly alarming development is Agenda’s capability to spread to VMware vCenter and ESXi servers, facilitated by executing a custom PowerShell script embedded in the ransomware binary. This ability to propagate across virtual infrastructure poses significant risks of data loss, financial harm, and service disruption. To evade detection, Agenda employs defense evasion techniques like Bring Your Own Vulnerable Driver (BYOVD), leveraging vulnerable drivers to disable security tools, underscoring the adaptability of ransomware and the challenges faced by cybersecurity defenses.
Organizations are urged to adopt a multilayered security approach, including limiting administrative rights, conducting regular security scans, backing up data, promoting safe email and web browsing practices, and educating users on social engineering risks. Such measures are crucial in mitigating the threat posed by Agenda and similar ransomware groups, safeguarding against potential cyberattacks and their damaging consequences.
