"New 'Agenda' Ransomware Customized for Each Victim"

Cybersecurity researchers at Trend Micro are raising the alarm on a new ransomware family called Agenda, which has been used in attacks on organizations in Asia and Africa.  The researchers noted that Agenda is written in the Golang (Go) cross-platform programming language, and the threat has the ability to reboot systems in safe mode and stop server-specific processes and services.  The researchers stated that Agenda targets Windows-based systems and has been used in attacks against healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand.  The researchers stated that the samples they observed have been customized for each victim, with the requested ransom amount being different for each victim as well, ranging between $50,000 and $800,000.  The researchers stated that every ransomware sample was customized for the intended victim.  The samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.  Agenda supports several command-line arguments, builds a runtime configuration to define its behavior, removes shadow volume copies, terminates various antivirus processes and services, and creates an auto-start entry pointing at a copy of itself.  The ransomware also changes the default user’s password and then enables automatic login using the modified credentials.  It reboots the machine in safe mode and starts encrypting data upon reboot.  The researchers have identified similarities between Agenda and well-known ransomware families, including Black Basta, Black Matter, and REvil (aka Sodinokibi).  Specifically, Agenda’s payment site and the user verification implemented on its Tor site resemble those of Black Basta and Black Matter, while the ability to change Windows passwords and reboot systems in safe mode is similar to Black Basta and REvil.

SecurityWeek reports: "New 'Agenda' Ransomware Customized for Each Victim"