Overview

Agenda ransomware (also known as Qilin), is a malware family that has actively targeted various industry sectors including healthcare, education, manufacturing, and real estate, since at least July 2022. The group behind the ransomware operates via the Ransomware-as-a-Service (RaaS) model and has been observed using different programming languages, including Rust and Go, to evade detection. The Rust variant of the Agenda ransomware was first observed in December 2022 and includes intermittent encryption tactics to deliver faster encryption and detection evasion capabilities. Agenda ransomware operators apply the double-extortion model, threatening to leak stolen data if the ransom is not paid. Further, the group, and its affiliates, earn between 80% to 85% of the ransom payments. Agenda RaaS provided affiliates with an admin panel that allowed them to customise binary payloads for each victim.

The malware gains initial access to systems through phishing emails and password-protected files hosted on cloud storage services.

In May 2023, a threat actor, named ‘Qilin’, advertised the Agenda/Qilin RaaS programme in underground forums, including Club2CRD, Cracked Forum, and XSS (eX DamageLab), as well as Telegram. These reports indicated that the Agenda/Qilin affiliates accessed target systems via phishing emails embedded with malicious links. Subsequent to gaining access, the ransomware operators conducted lateral movement within the infected network to search for files to encrypt. Following the encryption of the victim’s files, the operators deployed a ransom note that contained instructions regarding how to receive the decryption keys.

As is the case with other notorious ransomware strains, such as LockBit, Agenda ransomware avoids targets in specific geographic locations by reviewing the system language settings of the ransomware platform. This involves a list of all languages in the 12 current, former, or founding member states of the Commonwealth of Independent States (CIS). This is in relation to the implicit sanctions of the Russian authorities that exist to allow the threat activity of a group to occur, on the conditional basis that they attack foreign targets. This is a typical strategy of malware created by developers of CIS members (former Soviet Union nations) so that the associated ransomware gangs avoid facing any penalties from inside the CIS, provided they avoid attacking its organisations.