The Agenda ransomware group has been ramping up infections worldwide, thanks to a new and improved variant of its virtual machine-focused ransomware.
Agenda was first spotted in 2022. Its first, Golang-based ransomware was used against an indiscriminate range of targets: in healthcare, manufacturing, and education, from Canada to Colombia and Indonesia.
Toward the end of 2022, Agenda's proprietors rewrote its malware in Rust, a useful language for malware authors looking to spread their work across operating systems. With the Rust variant, Agenda was able to compromise organizations across finance, law, construction, and more, predominantly in the US but also in Argentina, Australia, Thailand, and elsewhere.
Just recently, Trend Micro identified a new Agenda ransomware variant in the wild. This latest Rust-based version comes with a variety of new functionalities and stealth mechanisms, and sets its sights squarely on VMware vCenter and ESXi servers.
"Ransomware attacks against ESXi servers are a growing trend," notes Stephen Hilt, senior threat researcher at Trend Micro. "They're attractive targets for ransomware attacks because they often host critical systems and applications, and the impact of a successful attack can be significant."
The New Agenda Ransomware
Infections begin when the ransomware binary is delivered via either Cobalt Strike, or a remote monitoring and management (RMM) tool. A PowerShell script embedded in the binary allows the ransomware to propagate across vCenter and ESXi servers.
Once properly disseminated, the malware changes the root password on all ESXi hosts, thereby locking out their owners, then uses Secure Shell (SSH) to upload the malicious payload.
One frivolous but psychologically impactful new feature allows the hackers to print their ransom note, instead of just presenting it on an infected monitor.
The attackers actively execute all these various commands via a shell, enabling them to carry out their malicious behaviors without leaving any files behind as evidence.
Ransomware Risk
Ransomware, once exclusive to Windows, has blossomed across Linux and VWware and even macOS, thanks to how much sensitive information companies keep within these environments.
In its report, Trend Micro recommends that at-risk organizations keep close watch over administrative privileges, regularly update security products, perform scans, and backup data, educate employees about social engineering, and practice diligent cyber hygiene.
"The push for cost reduction and remaining on premise will cause organizations to virtualize and use systems like ESXi to virtualize the systems," Hilt adds, so the risk of virtualization cyberattacks will likely only continue to grow.