Agenda’s new Rust variant, like the Royal ransomware, uses a partial encryption (also known as intermittent encryption) technique by configuring the parameters used to determine the percentage of file content to be encrypted. This method allows faster encryption and avoids detections based on malware read/write file operations. In addition, unlike older Agenda versions, the new variant can terminate the Windows AppInfo process and disable the User Account Control (UAC) feature, which helps prevent the execution of the malware with administrative rights.
Recently, it has been observed that the threat actors behind Ransomware software have started to migrate the ransomware codes to the Rust language. The Rust language is becoming more common among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.
In this context, it is recommended to consider the following security practices to avoid being exposed to targeted attacks that can be carried out using advanced malware.
- E-mails, attachments, and links from unknown parties should not be respected,
- Do not download files, programs, or applications from illegal and suspicious-looking sources,
- Institution/organization personnel should be made aware of target-oriented social engineering/phishing attacks,
- Network traffic should be continuously monitored for the possibility of malicious attempts and abnormal network behavior,
- Comprehensive security solutions should be used,
- Critical files/systems should be backed up regularly,
IoC findings related to the campaign should be blocked from the security solutions in use.
