This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda’s Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works.
This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.
According to our observations in the past month, the Agenda ransomware’s activities included posting numerous companies on its leak site. The threat actors not only claimed that they were able to breach the servers of these companies but also threatened to publish their files. The companies that the ransomware group posts on its leak site are located in different countries and belong mostly in the manufacturing and IT industries, with a combined revenue that surpasses US$550 million.
Recently, we found a sample of the Agenda ransomware written in Rust language and detected as Ransom.Win32.AGENDA.THIAFBB. Notably, the same ransomware, originally written in Go language, was known for targeting healthcare and education sectors in countries like Thailand and Indonesia. The actors customized previous ransomware binaries for the intended victim through the use of confidential information such as leaked accounts and unique company IDs as the appended file extension. The Rust variant has also been seen using intermittent encryption, one of the emerging tactics that threat actors use today for faster encryption and detection evasion.
Blackbox analysis
When executed, the Rust binary prompts the following error requiring a password to be passed as an argument. This command-line feature is similar to the Agenda ransomware binaries written in Golang.
Upon execution of the sample with “—password” as its parameter in conjunction with a dummy password “AgendaPass,” the ransomware sample runs its malicious routine starting with the termination of various processes and services.
Specific to the sample we analyzed, the ransomware appends the extension “MmXReVIxLV” to encrypted files. It also displays activity logs on the command prompt, including the file it has encrypted and the elapsed time.
The ransomware will then proceed to drop its ransom note on every directory it encrypts. As observed in its ransom note, the password used to execute the ransomware will also be used as the password for logging in to the support chat site of the ransomware group.
Agenda ransomware analysis
Unlike Agenda’s Golang variant, which accepts 10 arguments, its Rust variant only accepts three arguments:
Argument | Description |
-password {string} | Defines the password to enter landing |
-ips {IP address} | Allows for providing IP addresses |
-paths {directory} | Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned |
Table 1. Arguments used by the Agenda ransomware’s Rust variant
The Rust variant also contains hard-coded configuration inside its binaries like the earlier samples compiled in Golang.
It also added the -n, -p, fast, skip, and step flags on its configurations, which are not present in the Golang variant configuration and only used via command-line argument. Upon further analysis, we have learned that these flags are used for intermittent encryption. This tactic enables the ransomware to encrypt the victim’s files faster by partially encrypting the files depending on the values of the flags. This tactic is becoming more popular among ransomware actors as it lets them encrypt faster and avoid detections that heavily rely on read/write file operations.
Flags | Description |
fast | Encrypts the first (N*0x200000h) of the file |
skip (N) – step (Y) | Skip encryption for N bytes after encrypting Y bytes of the file |
n: {N} p: {P} | Encrypt (N*0x200000h) of the file and skips p bytes (P – percentage of the file size) |
Table 2. Flags used for intermittent encryption
We tried to mimic its encryption behavior using some of the flags present on its configuration. For this simulation, we used a dummy file filled with “A” as its content.
For fast mode:
Value: 1
Encrypted bytes: 1 * 0x200000h, where 1 is the value set in the fast flag
For N-P mode:
Total size = 88,082,336 bytes
Bytes encrypted = 1 * 0x200000,h where 1 is the value set in the n flag
Bytes skipped = 880,818 bytes (1% of the whole file), where 1 is the value set in the p flag
Aside from the additional flags used for different encryption modes, the Rust variant has included AppInfo to its roster of services to terminate. It disables User Account Control (UAC), a Windows feature that helps prevent malware from executing with administrative rights, resulting in the inability to run other applications with administrative privileges.
The Agenda ransomware is also known to deploy customized ransomware for each victim, and we have seen that its Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.
The file extension to be appended on the encrypted files is hard-coded in its configuration.
Unlike the previous Golang variant, however, the threat actors did not include the credentials of the victim in the configuration of the Rust variant. This feature of the latter prevents other researchers not only from visiting the ransomware’s chat support site but also accessing the threat actors’ conversations when a sample becomes available externally. It also prevents unsolicited messages from other people besides the victim.
Conclusion
An emerging ransomware family, Agenda has recently been targeting critical sectors such as healthcare and education industries. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware. Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.
Threat actors continue to favor ransomware as their tool of choice for conducting their operations, reiterating the call for enterprises and organizations to rely on a multilayered solution to secure data. Trend Micro Vision One™ provides visibility, correlated detection, and behavior monitoring across multiple layers: email, endpoints, servers, cloud workloads to help enterprises and organizations protect their systems from different threats, including ransomware.
Indicators of Compromise (IOCs)
SHA256 | Detection |
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 | Ransom.Win32.AGENDA.THIAFBB |
55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1 | Ransom.Win32.AGENDA.THIAHBB |
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6 | Ransom.Win32.AGENDA.THIAHBB |