The Agenda ransomware group has ramped up infections around the world, thanks to a new and improved variant of its ransomware focused on virtual machines.
Agenda (also known as Qilin and Water Galura) was first spotted in 2022. Its first ransomware, based on Golang, was used against an indiscriminate range of targets: in healthcare, manufacturing and education, from Canada to Colombia and Indonesia.
Towards the end of 2022, Agenda’s owners rewrote its malware Rust, a useful language for malware authors who want to spread their work across multiple operating systems. With the Rust variant, Agenda was able to compromise organizations in the financial, legal, construction and other industries, predominantly in the United States but also in Argentina, Australia, Thailand and elsewhere.
Just recently, Trend Micro identified a new variant of the Agenda ransomware in the wild nature. This latest Rust-based release comes with a variety of new features and stealth mechanisms and targets VMware vCenter and ESXi servers directly.
“Ransomware attacks against ESXi servers are a growing trend,” notes Stephen Hilt, senior threat researcher at Trend Micro. “They are attractive targets for ransomware attacks because they often host critical systems and applications, and the impact of a successful attack can be significant.”
The new agenda ransomware
According to Trend Micro, Agenda-type infections started to increase in December, perhaps because the group is now more active or perhaps because they are more effective.
Infections begin when the ransomware binary is distributed via Cobalt Strike or a Remote Monitoring and Management (RMM) tool. A PowerShell script embedded in the binary allows the ransomware to propagate to vCenter and ESXi servers.
Once successfully distributed, the malware changes the root password on all ESXi hosts, thereby locking out their owners, and then uses Secure Shell (SSH) to load the malicious payload.
This new and more powerful Agenda malware shares all the same features as its predecessor: scanning or excluding certain file paths, propagation to remote machines via PsExec, precise timeout when the payload is executed, and so on. But it also adds a bunch of new commands to escalate privileges, impersonate tokens, disable virtual machine clusters, and more.
A frivolous but psychologically impactful new feature allows hackers to print the ransom note, rather than simply presenting it on an infected monitor.
Attackers actively execute all of these different commands via a shell, allowing them to carry out their malicious behaviors without leaving any files as evidence.
To further improve its stealth, Agenda also borrows a trend recently popular among ransomware attackers: bring your own vulnerable driver (BYOVD) — using vulnerable SYS drivers to bypass security software.
Ransomware risk
Ransomware, once exclusive to Windows, has become increasingly widespread Linux and VWWare and even MacOSthanks to the amount of sensitive information that companies store in these environments.
“Organizations store a variety of data on ESXi servers, including sensitive information such as customer data, financial records, and intellectual property. They can also store backups of critical systems and applications on ESXi servers,” explains Hilt. Ransomware attackers exploit this type of sensitive information, whereas other threat actors could use these same systems as a launching pad for further network attacks.
In its report, Trend Micro recommends that at-risk organizations carefully monitor administrative privileges, regularly update security products, scan and back up data, educate employees about social engineering, and practice diligent cyber hygiene.
“The drive to reduce costs and stay on-premise will drive organizations to virtualize and use systems like ESXi to virtualize systems,” Hilt adds, so the risk of cyberattacks on virtualization will likely continue to grow.