A new piece of targeted ransomware created in the Go programming language has been customized for maximum impact against individual victims.
Malware written in the Go language or Golang has become common among threat actors. Go statically compiles necessary libraries, making security analysis much harder.
Agenda ransomware, targets healthcare and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand.
It offers several features, including rebooting systems in safe mode, attempting to stop many server-specific processes and services, and having multiple modes to run. The ransomware uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key.
The ransomware group also offers affiliates options to customize configurable binary payloads for each victim. It evades detection by using Safe mode option for proceeding with encryption.
It takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services and ensures persistence by injecting a DLL into svchost.exe.
The ransom amount requested, for instance, was different for each company, ranging from $50,000 to $800,000.
Important Protection measures
- The use of multifactor authentication (MFA) solutions,
- The 3-2-1 rule when backing up important files.
- The regular patching and updating of systems.
Indicators of Compromise