Chris Swagler | September 3rd, 2022

A new ransomware variant called “Agenda” has been discovered written in the Go programming language and customized to maximize impact against individual victims. The evidence is based on the specific email addresses and credentials the ransomware used. The Go language (also known as Golang) has become increasingly common among threat actors for writing malware. Go statically compiles required libraries, which makes security analysis more challenging, which may be one factor contributing to the recent surge in popularity. An investigation revealed that the new ransomware is targeting healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand.

The information on the ransomware “Agenda” is based on posts on the dark web by a user called “Qilin”, with connections to ransomware distributors, and through ransom notes. Agenda ransomware has numerous operating modes, can reboot systems in safe mode, and attempts to shut down numerous server-specific processes and services. The ransomware samples gathered were tailored for each victim and contained leaked account information and unique company IDs.

The samples collected were 64-bit Go-written Windows PE (Portable Executable) files designed for Windows-based platforms. Ransomware samples were customized for the intended victim. The investigation revealed that the samples had unique company IDs using encrypted file extensions, clients’ passwords, and compromised accounts. Qilin (or the Agenda ransomware group) provides affiliates the ability to design customizable binary payloads for each victim, complete with information like victims’ company ID, RSA key, and processes and services to shut down before the data encryption. Additionally, each company requests a different ransom amount, ranging from $50,000 to $800,000.

The ransomware known as Black Basta, Black Matter, and REvil (also known as Sodinokibi) share some similarities with Agenda. Agenda is very similar to Black Basta and Black Matter when it comes to payments sites and how user verification is implemented on a Tor site. The following command can be used by Agenda, Black Basta, and REvil to reboot in safe mode and change the Windows password: C:\windows\system32\bcdedit.exe  /set safeboot{current} network.

During an investigation into one incident using ransomware, the responsible threat actor gained entry using a public-facing Citrix server. They entered the server using a valid account before escalating privileges. Using compromised accounts, the threat actor used RDP on Active Directory. Nmap.exe and Nping.exe, tools for network scanning, were left behind by the threat actor. The group policy domain machine pushed the scheduled task. It was observed that less than two days passed between gaining access to the Citrix server and the ransomware infection. On the first day, it appeared that the threat actor examined the network before creating a Group Policy Object (GPO) and deploying the ransomware on the devices.

A 64-bit Windows PE file created by Agenda ransomware was written in Go. Go programs can run without a Go interpreter being installed on systems because they’re cross-platform and entirely independent. As shown in the table below, the ransomware accepts numerous command-line arguments during execution that specify the malware flow and functionality.

To specify its behavior, Agenda creates a runtime configuration that includes its public RSA key, encryption requirements, list of processes and services to stop, encryption extension, login information, and ransom notes.

Agenda checks the string safeboot in the data of this registry value to determine, as part of its initial routine, if the computer is operating in safe mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions. It terminates execution if it discovers that the machine is operating in safe mode. The ransomware terminates specific processes and services in its runtime configuration, some of which are antivirus-related processes and services and deletes shadow volume copies using the vssadmin.exe delete shadows /all/quiet command. Following its initial routine, Agenda creates the runonce autostart entry *aster pointing to enc.exe, a copy of itself is dropped inside the public folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*aster = %Public%\enc.exe

 During encryption, Agenda employs a technique to avoid detection by changing the default user’s password and enabling automatic login using new login information. The -safe command-line argument can be used to activate the feature. Like REvil, Agenda reboots victims’ machines in safe mode before continuing with the encryption process. Agenda first displays all local users discovered on the devices before determining which one is the default user. When Agenda discovers the default users, the password is changed to Y25VslgRDr. The Winlogon registry entry is configured, with the following values being set for each data:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

AutoAdminLogon value =1

DefaultUserName = {username}

DefaultDomainName ={domainname}


Agenda restarts victims’ machine in safe mode after altering the default users’ password and turning on automatic login using the following command: C:\windows\system32\bcdedit.exe  /set safeboot{current} network. Following the encryption, the ransomware restarts the machine in normal mode using the following command: C:\Windows\System32\bcdedit.exe /set safeboot network bcdedit /deletevalue {default} safeboot

Agenda ransomware has the capability to use the embedded login credentials in its runtime settings to execute the ransomware code using local account credentials. Agenda splits the accounts in the runtime configuration into username, domain, and password before starting the user impersonation. Using the information, Agenda will attempt to log a user into the local computer using the LogonUserW API. The ransomware binary will be executed by Agenda using a random port number generated by the API CreateProcessAsUserW in combination with the command-line argument -alter.

The compromise of the entire network and its shared drivers are connected to Agenda and not only about data encryption on one workstation. The LanmanWorkstation service is restated once the ransomware adds a registry. The LanmanWorkstation service is restated after using the key [EnableLinkedConnection =1] in the Enabling Mapped Drives drivers. As a result, it enables Agenda to list network drives in elevated programs like cmd.

Files are encrypted using AES-256 by Agenda, and the generated key is encrypted using RSA-2048. To perform this, it calls the function generateKye to create the key and initialization vector (IV) that it will use for encryption and uses the API rand read (). Agenda uses AES-256 to encrypt the target files using the randomly generated key. It uses the embedded public key from the runtime configuration to encrypt the key using RSA-2048. Agenda adds the company ID specified in the runtime configuration to the encrypted files’ names after successful encryption. The ransom note “company id”-RECOVER-README.txt is dropped into each encrypted directory. Detected as Trojan.Win64.AGENDA.SVT, pwndll.dll is dropped by Agenda in the Public folder. The DDL file pwndll.dll was patched from the legitimate DLL WICloader.dll, which was written in C rather then Go. The DLL is injected into svchost.exe by Agenda to enable continuous ransomware binary execution.

In today’s digital corporate world, ransomware groups are looking to evolve and develop more sophisticated methods and techniques to target high-profile companies. Users and companies can reduce the risk of infection from ransomware like Agenda by implementing multifactor authentication (MFA) to prevent lateral movements from threat actors within networks, stored backup files in separate locations, and regularly update systems. At SpearTip, our advisory services allow our engineers to compare technology and internal personnel to discover blind spots in companies that can lead to significant compromises. By partnering with SpearTip, companies can benefit from the  ShadowSpear Platform, our integrable managed detection and response solution, in protecting endpoints from suspicious activities and preventing ransomware threats from causing damage.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.