A new, improved variant on the group's malware combines fileless infection, BYOVD, and more to cause havoc in virtual environments.

3 Min Read
VMware logo on smartphone screen
Source: Igor Golovnov via Alamy Stock Photo

The Agenda ransomware group has been ramping up infections worldwide, thanks to a new and improved variant of its virtual machine-focused ransomware.

Agenda (aka Qilin and Water Galura) was first spotted in 2022. Its first, Golang-based ransomware was used against an indiscriminate range of targets: in healthcare, manufacturing, and education, from Canada to Colombia and Indonesia.

Toward the end of 2022, Agenda's proprietors rewrote its malware in Rust, a useful language for malware authors looking to spread their work across operating systems. With the Rust variant, Agenda was able to compromise organizations across finance, law, construction, and more, predominantly in the US but also in Argentina, Australia, Thailand, and elsewhere.

Just recently, Trend Micro identified a new Agenda ransomware variant in the wild. This latest Rust-based version comes with a variety of new functionalities and stealth mechanisms, and sets its sights squarely on VMware vCenter and ESXi servers.

"Ransomware attacks against ESXi servers are a growing trend," notes Stephen Hilt, senior threat researcher at Trend Micro. "They're attractive targets for ransomware attacks because they often host critical systems and applications, and the impact of a successful attack can be significant."

The New Agenda Ransomware

Agenda infections began ramping up in December, according to Trend Micro, perhaps because the group is more active now, or perhaps because they're more effective.

Infections begin when the ransomware binary is delivered via either Cobalt Strike, or a remote monitoring and management (RMM) tool. A PowerShell script embedded in the binary allows the ransomware to propagate across vCenter and ESXi servers.

Once properly disseminated, the malware changes the root password on all ESXi hosts, thereby locking out their owners, then uses Secure Shell (SSH) to upload the malicious payload.

This new, more powerful Agenda malware shares all the same functionality as its predecessor: scanning or excluding certain file paths, propagating to remote machines via PsExec, precisely timing out when the payload is executed, and so on. But it also adds a number of new commands for escalating privileges, impersonating tokens, disabling virtual machine clusters, and more.

One frivolous but psychologically impactful new feature allows the hackers to print their ransom note, instead of just presenting it on an infected monitor.

The attackers actively execute all these various commands via a shell, enabling them to carry out their malicious behaviors without leaving any files behind as evidence.

To further enhance its stealth, Agenda also borrows from a recently popular trend among ransomware attackers — bring your own vulnerable driver (BYOVD) — using vulnerable SYS drivers to evade security software.

Ransomware Risk

Ransomware, once exclusive to Windows, has blossomed across Linux and VWware and even macOS, thanks to how much sensitive information companies keep within these environments.

"Organizations store a variety of data on ESXi servers, including sensitive information such as customer data, financial records, and intellectual property. They may also store backups of critical systems and applications on ESXi servers," Hilt explains. Ransomware attackers prey upon this kind of sensitive information, where other threat actors might use these same systems as a launchpad for further network attacks.

In its report, Trend Micro recommends that at-risk organizations keep close watch over administrative privileges, regularly update security products, perform scans, and backup data, educate employees about social engineering, and practice diligent cyber hygiene.

"The push for cost reduction and remaining on premise will cause organizations to virtualize and use systems like ESXi to virtualize the systems," Hilt adds, so the risk of virtualization cyberattacks will likely only continue to grow.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights