New worldwide Agenda ransomware wave targets VMware ESXi servers

New worldwide Agenda ransomware wave targets VMware ESXi servers

An updated variant on the group's malware combines fileless infection, BYOVD and more to cause fresh havoc in virtual environments.

Published on 28th March 2024

The Agenda ransomware group has been ramping up infections worldwide, thanks to a new and improved variant of its virtual machine-focused ransomware.

Agenda (aka Qilin and Water Galura) was first spotted in 2022. Its first, Golang-based ransomware was used against an indiscriminate range of targets: in healthcare, manufacturing, and education, from Canada to Colombia and Indonesia.

Toward the end of 2022, Agenda’s proprietors rewrote its malware in Rust, a useful language for malware authors looking to spread their work across operating systems. With the Rust variant, Agenda was able to compromise organizations across finance, law, construction, and more, predominantly in the US but also in Argentina, Australia, Thailand, and elsewhere.

Just recently, Trend Micro identified a new Agenda ransomware variant in the wild. This latest Rust-based version comes with a variety of new functionalities and stealth mechanisms, and sets its sights squarely on VMware vCenter and ESXi servers.

“Ransomware attacks against ESXi servers are a growing trend,” notes Stephen Hilt, senior threat researcher at Trend Micro. “They’re attractive targets for ransomware attacks because they often host critical systems and applications, and the impact of a successful attack can be significant.”

The New Agenda Ransomware

Agenda infections began ramping up in December, according to Trend Micro, perhaps because the group is more active now, or perhaps because they’re more effective.

Infections begin when the ransomware binary is delivered via either Cobalt Strike, or a remote monitoring and management (RMM) tool. A PowerShell script embedded in the binary allows the ransomware to propagate across vCenter and ESXi servers.

Once properly disseminated, the malware changes the root password on all ESXi hosts, thereby locking out their owners, then uses Secure Shell (SSH) to upload the malicious payload.

This new, more powerful Agenda malware shares all the same functionality as its predecessor: scanning or excluding certain file paths, propagating to remote machines via PsExec, precisely timing out when the payload is executed, and so on. But it also adds a number of new commands for escalating privileges, impersonating tokens, disabling virtual machine clusters, and more.

One frivolous but psychologically impactful new feature allows the hackers to print their ransom note, instead of just presenting it on an infected monitor.

The attackers actively execute all these various commands via a shell, enabling them to carry out their malicious behaviors without leaving any files behind as evidence.

To further enhance its stealth, Agenda also borrows from a recently popular trend among ransomware attackers — bring your own vulnerable driver (BYOVD) — using vulnerable SYS drivers to evade security software.

Ransomware Risk

Ransomware, once exclusive to Windows, has blossomed across Linux and VMware and even macOS, thanks to how much sensitive information companies keep within these environments.

“Organizations store a variety of data on ESXi servers, including sensitive information such as customer data, financial records, and intellectual property. They may also store backups of critical systems and applications on ESXi servers,” Hilt explains. Ransomware attackers prey upon this kind of sensitive information, where other threat actors might use these same systems as a launchpad for further network attacks.

In its report, Trend Micro recommends that at-risk organizations keep close watch over administrative privileges, regularly update security products, perform scans, and backup data, educate employees about social engineering, and practice diligent cyber hygiene.

“The push for cost reduction and remaining on premise will cause organizations to virtualize and use systems like ESXi to virtualize the systems,” Hilt adds, so the risk of virtualization cyberattacks will likely only continue to grow.


The latest updates straight to your inbox

We just need a few details to get you subscribed

Health Checks

Inventory & Compliance

Cloud Readiness & Optimisation

Agreement & Audit Support


Looking for something specific?

Let's see what we can find - just type in what you're after

Wait! Before you go

Have you signed up to our newsletter yet?

It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!

Cookie Notice

Our website uses cookies to ensure you have the best experience while you're here.