Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
Printing ransom demands on connected printers has become one of the markers of the group's latest attacks.
The Agenda group, also known as Qilin or Water Galura, is increasing the number of infections worldwide thanks to a new and improved version of its virtual machine-focused ransomware program. Its first Golang-based ransomware was discovered in 2022 and used against a wide range of targets in healthcare, manufacturing, and education, from Canada to Indonesia.
According to a recent report by Trend Micro, the group has recently continued to infect victims around the world with its malware, with the United States, Argentina, Australia and Thailand among the main targets of attackers at the moment. The financial sector, IT companies and law firms are now the most desirable sectors of the group for attacks.
Since December 2023, there has been a significant increase in the number of Agenda detections compared to November of the same year. This may indicate both the activation of operators and the expansion of the number of attacked targets.
The latest versions of Agenda contain updates for the Rust version. According to observations, the group uses remote monitoring and management (RMM) tools, as well as Cobalt Strike, to deploy a malicious executable file. The Agenda executable itself can be distributed via PsExec and SecureShell, as well as use various vulnerable SYS drivers to bypass security mechanisms.
Among the new features of Agenda is the ability to print a ransom demand on connected printers. The malware copies the text to "%User Temp%\{Generated file name} " and executes commands to output the contents of the file to the specified printer.
To bypass security measures, Agenda uses the Bring Your Own Vulnerable Driver (BYOVD) technique, using different vulnerable drivers to disable different security systems in each infection chain. Experts also observed the use of public utilities, such as YDark and Spyboy's Terminator.
Another update is the ability to distribute to VMware vCenter and ESXi servers via a special PowerShell script embedded in the binary file. This allows you to attack virtual machines and the entire virtual infrastructure, resulting in data loss, financial losses, and service failures.
The ability of Agenda to extend to virtual environments shows that operators are expanding the range of potential targets and systems for their attacks.
For protection, organizations are encouraged to restrict administrative rights, regularly update security solutions, create data backups, train users in cybersecurity rules, and use a multi-level approach for comprehensive protection.
The Agenda group, also known as Qilin or Water Galura, is increasing the number of infections worldwide thanks to a new and improved version of its virtual machine-focused ransomware program. Its first Golang-based ransomware was discovered in 2022 and used against a wide range of targets in healthcare, manufacturing, and education, from Canada to Indonesia.
According to a recent report by Trend Micro, the group has recently continued to infect victims around the world with its malware, with the United States, Argentina, Australia and Thailand among the main targets of attackers at the moment. The financial sector, IT companies and law firms are now the most desirable sectors of the group for attacks.
Since December 2023, there has been a significant increase in the number of Agenda detections compared to November of the same year. This may indicate both the activation of operators and the expansion of the number of attacked targets.
The latest versions of Agenda contain updates for the Rust version. According to observations, the group uses remote monitoring and management (RMM) tools, as well as Cobalt Strike, to deploy a malicious executable file. The Agenda executable itself can be distributed via PsExec and SecureShell, as well as use various vulnerable SYS drivers to bypass security mechanisms.
Among the new features of Agenda is the ability to print a ransom demand on connected printers. The malware copies the text to "%User Temp%\{Generated file name} " and executes commands to output the contents of the file to the specified printer.
To bypass security measures, Agenda uses the Bring Your Own Vulnerable Driver (BYOVD) technique, using different vulnerable drivers to disable different security systems in each infection chain. Experts also observed the use of public utilities, such as YDark and Spyboy's Terminator.
Another update is the ability to distribute to VMware vCenter and ESXi servers via a special PowerShell script embedded in the binary file. This allows you to attack virtual machines and the entire virtual infrastructure, resulting in data loss, financial losses, and service failures.
The ability of Agenda to extend to virtual environments shows that operators are expanding the range of potential targets and systems for their attacks.
For protection, organizations are encouraged to restrict administrative rights, regularly update security solutions, create data backups, train users in cybersecurity rules, and use a multi-level approach for comprehensive protection.
