Rust variant of ransomware strain known as agenda has been observed in the wild, making it the latest malware to adopt a cross-platform programming language after BlackCat, Hive, Luna, and RansomExx.
Agenda is a Ransomware as a Service (RaaS) group attributed to an operator named Qilin and is associated with a series of attacks primarily targeting manufacturing and IT industries in various countries.
Previous versions of the ransomware, written in Go and customized for each victim, identified the healthcare and education sectors in countries such as Indonesia, Saudi Arabia, South Africa, and Thailand.
Agenda extends the idea of โโpartial encryption (a.k.a. intermittent encryption) by configuring parameters used to determine the percentage of file content to be encrypted, similar to Royal ransomware .
“This tactic is gaining popularity among ransomware attackers because it can speed up encryption and avoid detections that rely heavily on file read/write operations,” said a group of Trend Micro researchers. increase. Said in last week’s report.
Analyzing the ransomware binaries, we found that the encrypted files have the extension “MmXReVIxLV” and drops a ransom note in every directory.
Additionally, the Rust version of Agenda can terminate Windows AppInfo processes and disable User Account Control (UAC). UAC helps reduce the impact of malware by requiring administrator access to launch programs or tasks.
“Currently, the attackers appear to be migrating their ransomware code to Rust, as recent samples still lack some features found in the original binaries written in the Golang variant of the ransomware. ‘ said the researchers.
โThe Rust language is becoming more popular among attackers because it is difficult to analyze and has a low detection rate by antivirus engines.โ