New Go-based Ransomware 'Agenda' Delivers Customized Attacks

Written by

A new piece of targeted ransomware created in the Go programming language has been customized for maximum impact against individual victims.

Security analysts from Trend Micro outlined the new threat in an advisory they published on Thursday following direct attacks against one of the company's customers.

"Malware written in the Go language (aka Golang) has become common among threat actors," reads the document. "One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making security analysis much harder."

Incidentally, while Golang is still a popular programming language for ransomware, some actors, including BlackCat, are now moving to Rust.

As for the Agenda ransomware, Trend Micro said the threat targeted healthcare and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand.

From a technical standpoint, Agenda reportedly offers several features, including rebooting systems in safe mode, attempting to stop many server-specific processes and services, and having multiple modes to run. The ransomware uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key.

Additionally, the samples of the ransomware the security firm collected were customized for each victim. The ransom amount requested, for instance, was different for each company, ranging from $50,000 to $800,000.

"Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files," Trend Micro added.

Because of the highly-informed nature of these attacks, the antivirus company believed that the ransomware group offers affiliates options to customize configurable binary payloads for each victim.

"[These include] details such as company ID, RSA key, and processes and services to kill before the data encryption."

Further, Trend Micro warned that Agenda has techniques for evading detection by taking advantage of a device's 'safe mode' feature to proceed with its encryption routine unseen.

"The ransomware also takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services and ensures persistence by injecting a DLL into svchost.exe."

To defend against Agenda, Trend Micro recommended the use of multifactor authentication (MFA) solutions, the 3-2-1 rule when backing up important files and the regular patching and updating of systems.

What’s hot on Infosecurity Magazine?