Trend Micro Inc.

03/26/2024 | News release | Distributed by Public on 03/26/2024 01:55

Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script

Some drivers we have observed being leveraged by the Agenda ransomware is YDark, a publicly available tool designed for kernel manipulation, as well as Spyboy's Terminator tool used to bypass AVs and EDRs (Endpoint Detection and Response). Using different vulnerable drivers for defense evasion highlights how ransomware can adapt, presenting a significant challenge for cybersecurity defenses trying to stop it.

Conclusion and recommendations

The Agenda ransomware's ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems, therefore organizations should be aware of the group's activities and implement security measures to protect themselves from these kinds of ransomware, such as:

  • Only granting employees administrative rights and access when necessary. 
  • Performing period scans and ensure that security products are updated regularly.  
  • Regularly backing up data to ensure as a failsafe measure for data loss. 
  • Exercising good email and website safety practices; avoid downloading attachments, clicking on URLs, and downloading applications unless certain of the source's legitimacy.
  • Conducting regular user education on the dangers of social engineering. 

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.   

Trend Vision One ™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.  

Trend Cloud One™ - Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.   

Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.   

Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

With additional analysis fromNathaniel Morales, Maristel Policarpio, CJ Arsley Mateo, Don Ladores

Vision One hunting query

The following query lists potentially useful queries for threat hunting within Vision One:

(fullPath:("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll") OR malName:*agenda*) OR (objectFilePath: ("C:\Users\Public\enc.exe" OR "C:\Users\Public\pwndll.dll"))

Indicators of Compromise

The indicators of compromise for this entry can be found here.