A new variant of Agenda Ransomware, developed with the Rust programming language, has been detected to be used in campaigns targeting critical sectors. Agenda has become one of the ransomware that adopts the cross-platform programming language, making it easy to adapt to different systems such as Windows and Linux with the new variant. Agenda, attributed to an operator named Qilin, is linked to a series of attacks targeting manufacturing and IT industries in different countries. The Agenda Ransomware family, which is still under development, has recently been observed to target critical sectors such as the healthcare and education industries.
Agenda’s new Rust variant, like the Royal ransomware, uses a partial encryption (also known as intermittent encryption) technique by configuring the parameters used to determine the percentage of file content to be encrypted. This method allows faster encryption and avoids detections based on malware read/write file operations. In addition, unlike older Agenda versions, the new variant can terminate the Windows AppInfo process and disable the User Account Control (UAC) feature, which helps prevent the execution of the malware with administrative rights.
Recently, it has been observed that the threat actors behind Ransomware software have started to migrate the ransomware codes to the Rust language. The Rust language is becoming more common among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.
In this context, it is recommended to consider the following security practices to avoid being exposed to targeted attacks that can be carried out using advanced malware.
- E-mails, attachments, and links from unknown parties should not be respected,
- Do not download files, programs, or applications from illegal and suspicious-looking sources,
- Institution/organization personnel should be made aware of target-oriented social engineering/phishing attacks,
- Network traffic should be continuously monitored for the possibility of malicious attempts and abnormal network behavior,
- Comprehensive security solutions should be used,
- Critical files/systems should be backed up regularly,
IoC findings related to the campaign should be blocked from the security solutions in use.