Healthcare and education organizations in South Africa, Saudi Arabia, Indonesia, and Thailand are under attack from the new customizable Golang-based Agenda ransomware
strain, The Hacker News
Affiliates leveraging Agenda, which is being promoted by Qilin on the dark web, are being offered the capability to personalize binary payloads per victim, as well as decide on encryption extensions, terminable services and processes prior to encryption, and ransom notes, a Trend Micro study showed.
"Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," said researchers.
The report also found that Agenda exploits impacted devices' "safe mode" functionality to evade detection, as well as abuses local account credentials for ransomware binary execution.
Attackers could also use Agenda to compromise an entire network along with its drivers, with one attack against a public Citrix server exploited to facilitate ransomware deployment in less than two days, according to researchers.