We recently discovered a new piece of targeted ransomware that was created in the Go programming language and that explicitly targeted one of our customers. This was evidenced by the specific email addresses and credentials the ransomware used. Malware written in the Go language (aka Golang) has become common amongst threat actors. One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making security analysis much harder.
Our investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on dark web posts by a user named “Qilin” (who seems to be connected to the ransomware distributors) and through ransom notes, the ransomware is called “Agenda.”
Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run. The samples of the ransomware that we collected were customised for each victim, and they included unique company IDs and leaked account details.
Targets
All collected samples were 64-bit Windows PE (Portable Executable) files written in Go, and they were aimed at Windows-based systems. The group distributing the malware was targeting healthcare and education organisations in Indonesia, Saudi Arabia, South Africa, and Thailand. Every ransomware sample was customised for the intended victim. Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.
We believe that Qilin (or the Agenda ransomware group) offers affiliates options to customise configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption. Also, the ransom amount requested is different per company, ranging from US$50,000 to US$800,000.
Similarities with other ransomware
We noticed some similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware.
In terms of payment sites and the implementation of user verification on a Tor site, Agenda is very similar to Black Basta and Black Matter. Meanwhile, Agenda shares with Black Basta and REvil the same functionality of changing Windows passwords and rebooting in safe mode using this command:
C:\windows\system32\bcdedit.exe /set safeboot{current} network
Observed kill chain
Investigating one incident involving this ransomware, we saw that the threat actor behind it used a public-facing Citrix server as a point of entry. We believe that the threat actor used a valid account to access this server and later move inside the victim’s network. This was expected since the actor configured the ransomware with valid and privileged accounts.
The threat actor used RDP on Active Directory using leaked accounts. The actor dropped scanning tools, Nmap.exe and Nping.exe, for scanning the network. Next, the scheduled task was pushed by the group policy domain machine.
We observed that there was only a short period between accessing the Citrix server and the ransomware infection: less than two days. The threat actor seemed to have scanned the network on the first day, and then a Group Policy Object (GPO) was created and the ransomware was deployed on the machines.
Analysis and notable features
The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages).
Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality, as listed in the table below.
Argument | Description |
-alter {int} | Defines the port number for this child process |
-encryption {value} | Allows for redefining the embed encryptor config to the customised choice |
-ips {IP Address} | Allows for providing IP addresses |
-min-size {value} | Defines the minimum file size to encrypt (e.g., 1 KB, 1 MB, 1 GB, 666 KB) |
-no-proc | Defines the processes that will not be killed |
-no-services | Defines the services that will not be killed |
-password {string} | Defines the password to enter landing |
-path {directory} | Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned |
-safe | Boots in safe mode |
-stat | Makes malware print its configuration (processes and services to be killed, encryption, etc.) |
Table 1. Command-line arguments accepted by Agenda
Agenda builds a runtime configuration to define its behaviour, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note.
Runtime configuration component | Description |
public_rsa_pem | RSA public key |
directory_black_list | Directories excluded from encryption |
file_black_list | File names excluded from encryption |
file_pattern_black_list | File name extensions excluded from encryption |
process_black_list | Processes to terminate |
win_services_black_list | Services to terminate |
company_id | Encryption extension |
accounts | Login credentials |
note | Ransom note |
Table 2. The runtime configuration components of Agenda
As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions
If it detects that the machine is running in safe mode, it terminates execution.
The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services.
Processes | Services |
a2service.exe | acronis vss provider |
a2start.exe | acronis vss provider |
aawservice.exe | acronisagent |
ashserv.exe | acronisagent |
avengine.exe | acronisagentd |
avkwctl.exe | avbackup |
blackd.exe | avbackupd |
cfp.exe | ccevtmgr |
fsav32.exe | macmnsvc |
fsdfwd.exe | macmnsvcd |
fsguiexe.exe | masvc |
kpf4gui.exe | masvcd |
mcods.exe | mcshield |
mcpalmcfg.exe | sentinelagent |
mcproxy.exe | sentinelagentd |
mcregwiz.exe | sentinelhelperservice |
mcsacore.exe | sentinelhelperserviced |
mcshield.exe | sentinelstaticengine |
mpfagent.exe | sentinelstaticengined |
mpfservice.exe | shmonitor |
msmpeng.exe | shmonitord |
msscli.exe | smcinst |
nisum.exe | tmccsf |
ntrtscan.exe | tmccsfd |
pccpfw.exe | tmlisten |
tmntsrv.exe | tmlistend |
Table 3. Some of the antivirus-related processes and services terminated by Agenda
After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe
Changing user passwords and rebooting in safe mode
Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot.
To begin, Agenda lists all local users found on the device and then checks which one is set as the default user.
Upon finding the default user, Agenda changes the user’s password to Y25VsIgRDr.
It then proceeds to configure the Winlogon registry entry, setting the data to each of these values:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
AutoAdminLogon value =1
DefaultUserName = {username}
DefaultDomainName ={domainname}
DefaultPassword={ Y25VsIgRDr}
Upon changing the default user’s password and enabling automatic login, Agenda reboots the victim’s machine in safe mode via this command:
C:\windows\system32\bcdedit.exe /set safeboot{current} network
The ransomware also reboots the machine in normal mode after the encryption using this command:
C:\Windows\System32\bcdedit.exe /set safeboot network bcdedit /deletevalue {default} safeboot
Impersonation of legitimate accounts
Another feature of Agenda is its ability to abuse local account credentials to execute the ransomware binary, using the embedded login credentials in its runtime configuration.
Agenda begins the user impersonation by parsing the accounts in the runtime configuration and then separating them into username, domain, and password. It will use this data to attempt logging a user on to the local computer via the API LogonUserW.
Agenda then proceeds to generate a random port number, which it will use in the execution of the ransomware binary through the API CreateProcessAsUserW in conjunction with the command-line argument -alter.
Allowing network sharing
Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation.
The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.
Encryption algorithm
Agenda uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key. To do so, it first generates the key and initialisation vector (IV) that it will use for encryption by using the function generateKye, and then uses the API rand_read().
With this randomly generated key, Agenda proceeds to use AES-256 to encrypt target files. Lastly, it encrypts the key using RSA-2048 through the embedded public key from the runtime configuration.
After successful encryption, Agenda renames the encrypted files by appending the company ID indicated in the runtime configuration. It then drops the ransom note {company_id}-RECOVER-README.txt in each encrypted directory.
Process injection
Agenda drops pwndll.dll, detected as Trojan.Win64.AGENDA.SVT, in the Public folder. The file pwndll.dll is a patched DLL from the legitimate DLL WICloader.dll written in C, not Go. Agenda injects this DLL into svchost.exe to allow continuous execution of the ransomware binary.
Conclusion and solutions
Ransomware continues to evolve, developing more sophisticated methods and techniques to trap organisations. Our investigation shows how the new targeted ransomware Agenda is written in the Go language, making it harder to detect and analyse.
This ransomware has techniques for evading detection by taking advantage of the “safe mode” feature of a device to proceed with its encryption routine unnoticed. The ransomware also takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services, and ensures persistence by injecting a DLL into svchost.exe.
End users and organisations alike can mitigate the risk of infection from ransomware like Agenda by following these security best practices:
- Enable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.
- Adhere to the 3-2-1 rule when backing up important files. This involves creating three backup copies on two different file formats, with one of the copies stored in a separate location.
- Patch and update systems regularly. It’s important to keep operating systems and applications up to date, preventing malicious actors from exploiting any software vulnerabilities.
Organisations can also benefit from security solutions that offer multilayered detection and response, such as Trend Micro Vision One™, which has multilayered protection and behaviour detection capabilities that help block suspicious behaviour and tools before ransomware can do any damage. Trend Micro Apex One™ also provides next-level automated threat detection and response to protect endpoints against advanced issues, like fileless threats and ransomware.
Additional insights provided by Eleazar Valles and Sherif Magdy.
For more information about the indicators of compromise, download this document.
MITRE ATT&CK tactics and techniques