New “Agenda” ransomware allow attackers customize payloads for each victim

Researchers from Trend Micro have uncovered Agenda, a new ransomware strain written in Golang that is used in the wild to target health and education facilities in Indonesia, Saudi Arabia, South Africa and Thailand.

A threat actor identified as Qilin is advertising the ransomware on the dark web. Qilin claims the ransomware offers affiliates the ability to customize the binary payloads for each victim.

This feature allows the operators to decide on the ransom note, the encryption extension and the list of processes and services that must be terminated before the encryption process begins.

The ransomware also has techniques for detection evasion. The techniques use the ‘safe mode’ feature of a device to continue with its file encryption undetected, but not before the password of the user is changed and an automatic login is enabled.

Agenda also has a unique feature that makes it possible to infect an entire network and its shared drivers.

After successful encryption Agenda renames the files with the configured extension, places the ransom note in each encrypted directory and restarts the computer in normal mode.

Although the ransom demanded by the attackers varies from company to company, the ransom demanded is estimated at US$50,000 to US$800,000.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web