The notorious Agenda ransomware group has unleashed a new and upgraded variant of its malware, intensifying its global onslaught by targeting VMware ESXi servers.
First emerging in 2022 under aliases such as Qilin and Water Galura, Agenda initially deployed Golang-based ransomware, indiscriminately attacking sectors ranging from healthcare to manufacturing and education across countries like Canada, Colombia, and Indonesia.
As the year progressed, Agenda's operators transitioned to a Rust-based variant, offering versatility across operating systems. This iteration expanded its reach, infiltrating organizations in finance, law, and construction, primarily in the US but also in regions like Argentina, Australia, and Thailand.
Recently, Trend Micro detected a fresh iteration of Agenda ransomware in the wild, featuring advanced functionalities and stealth mechanisms, with a primary focus on VMware vCenter and ESXi servers.
Stephen Hilt, Senior Threat Researcher at Trend Micro, highlights the escalating trend of ransomware targeting ESXi servers due to their critical role in hosting essential systems and applications, amplifying the potential impact of successful attacks.
Infections surged in December, facilitated by delivery via Cobalt Strike or remote monitoring and management tools, with a PowerShell script enabling propagation across vCenter and ESXi servers.
The latest Agenda variant retains previous functionalities while introducing new commands for privilege escalation, token impersonation, and disabling virtual machine clusters. Notably, hackers can now print ransom notes, augmenting psychological impact.
To bolster stealth, Agenda adopts the "bring your vulnerable driver" (BYOVD) tactic, utilizing vulnerable SYS drivers to evade security software.
Ransomware threats have transcended Windows, extending to Linux, VMware, and macOS, capitalizing on the wealth of sensitive data housed within these environments.
Hilt emphasizes the importance of organizational vigilance, advocating for strict control over administrative privileges, regular security updates, comprehensive scans, data backups, employee education on social engineering, and diligent cyber hygiene practices.
With organizations increasingly virtualizing systems like ESXi for cost reduction and on-premise operations, the risk of virtualization cyberattacks is poised to escalate further.