The Agenda ransomware group has been ramping up infections worldwide, thanks to a new and improved variant of its virtual machine-focused ransomware.
Agenda (aka Qilin and Water Galura) was first spotted in 2022. Its first, Golang-based ransomware was used against an indiscriminate range of targets: in healthcare, manufacturing, and education, from Canada to Colombia and Indonesia.
Toward the end of 2022, Agenda’s proprietors rewrote its malware in Rust, a useful language for malware authors looking to spread their work across operating systems. With the Rust variant, Agenda was able to compromise organizations across finance, law, construction, and more, predominantly in the US but also in Argentina, Australia, Thailand, and elsewhere.
Just recently, Trend Micro identified a new Agenda ransomware variant in the wild. This latest Rust-based version comes with a variety of new functionalities and stealth mechanisms, and sets its sights squarely on VMware vCenter and ESXi servers.
“Ransomware attacks against ESXi servers are a growing trend,” notes Stephen Hilt, senior threat researcher at Trend Micro. “They’re attractive targets for ransomware attacks because they often host critical systems and applications, and the impact of a successful attack can be significant.”
Agenda infections began ramping up in December, according to Trend Micro, perhaps because the group is more active now, or perhaps because they’re more effective.
Infections begin when the ransomware binary is delivered via either Cobalt Strike, or a remote monitoring and management (RMM) tool. A PowerShell script embedded in the binary allows the ransomware to propagate across vCenter and ESXi servers.
Once properly disseminated, the malware changes the root password on all ESXi hosts, thereby locking out their owners, then uses Secure Shell (SSH) to upload the malicious payload.
This new, more powerful Agenda malware shares all the same functionality as its predecessor: scanning or excluding certain file paths, propagating to remote machines via PsExec, precisely timing out when the payload is executed, and so on. But it also adds a number of new commands for escalating privileges, impersonating tokens, disabling virtual machine clusters, and more.
One frivolous but psychologically impactful new feature allows the hackers to print their ransom note, instead of just presenting it on an infected monitor.
The attackers actively execute all these various commands via a shell, enabling them to carry out their malicious behaviors without leaving any files behind as evidence.
To further enhance its stealth, Agenda also borrows from a recently popular trend among ransomware attackers — bring your own vulnerable driver (BYOVD) — using vulnerable SYS drivers to evade security software.
Ransomware, once exclusive to Windows, has blossomed across Linux and VMware and even macOS, thanks to how much sensitive information companies keep within these environments.
“Organizations store a variety of data on ESXi servers, including sensitive information such as customer data, financial records, and intellectual property. They may also store backups of critical systems and applications on ESXi servers,” Hilt explains. Ransomware attackers prey upon this kind of sensitive information, where other threat actors might use these same systems as a launchpad for further network attacks.
In its report, Trend Micro recommends that at-risk organizations keep close watch over administrative privileges, regularly update security products, perform scans, and backup data, educate employees about social engineering, and practice diligent cyber hygiene.
“The push for cost reduction and remaining on premise will cause organizations to virtualize and use systems like ESXi to virtualize the systems,” Hilt adds, so the risk of virtualization cyberattacks will likely only continue to grow.
Scott Rodgerson via Unsplash
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!