This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda's Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works.
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.
According to TrendMicro's observations in the past month, the Agenda ransomware’s activities included posting numerous companies on its leak site. The threat actors not only claimed that they were able to breach the servers of these companies but also threatened to publish their files. The companies that the ransomware group posts on its leak site are located in different countries and belong mostly in the manufacturing and IT industries, with a combined revenue that surpasses US$550 million.
Recently, TrendMicro found a sample of the Agenda ransomware written in Rust language and detected as Ransom.Win32.AGENDA.THIAFBB. Notably, the same ransomware, originally written in Go language, was known for targeting healthcare and education sectors in countries like Thailand and Indonesia. The actors customized previous ransomware binaries for the intended victim through the use of confidential information such as leaked accounts and unique company IDs as the appended file extension. The Rust variant has also been seen using intermittent encryption, one of the emerging tactics that threat actors use today for faster encryption and detection evasion.
The Agenda ransomware is also known to deploy customized ransomware for each victim, and experts of TrendMicro have seen that its Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.
An emerging ransomware family, Agenda has recently been targeting critical sectors such as healthcare and education industries. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware. Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.
#Analysis #IoCs #Healthcare #Education