03/26/2024 | News release | Distributed by Public on 03/26/2024 01:55
Some drivers we have observed being leveraged by the Agenda ransomware is YDark, a publicly available tool designed for kernel manipulation, as well as Spyboy's Terminator tool used to bypass AVs and EDRs (Endpoint Detection and Response). Using different vulnerable drivers for defense evasion highlights how ransomware can adapt, presenting a significant challenge for cybersecurity defenses trying to stop it.
Conclusion and recommendations
The Agenda ransomware's ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems, therefore organizations should be aware of the group's activities and implement security measures to protect themselves from these kinds of ransomware, such as:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Trend Vision One ™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.
Trend Cloud One™ - Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints. With additional analysis fromNathaniel Morales, Maristel Policarpio, CJ Arsley Mateo, Don Ladores Vision One hunting query The following query lists potentially useful queries for threat hunting within Vision One: (fullPath:("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll") OR malName:*agenda*) OR (objectFilePath: ("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll")) Indicators of Compromise