Ransomware Spotlight: Agenda

T1189 - Drive-by Compromise
The Agenda ransomware has been observed being delivered using various methods such as drive-by downloads, cloned sites, hosted files, and scripted web delivery or via compromised systems.

T1091 - Replication Through Removable Media
It has the capability to generate payloads that autoplay via removable media such as USB drives and CDs.

T1078 - Valid Accounts
It uses compromised accounts obtained through stolen credentials and process token impersonation.

T1566.002 - Phishing: Spearphishing Link
It can also arrive via emails containing malicious attachments and links or fake captcha social engineering.

T1059 - Command and Scripting Interpreter
The Agenda ransomware variants (Go, Rust, Linux) accept multiple command-line parameters for configuration and execution, including options for encryption behavior, propagation, privilege escalation, safe mode, and operational customization. The specific arguments vary by variant (as discussed in the previous section).

T1059.001 - Command and Scripting Interpreter: PowerShell
It executes a PowerShell command to restart the LanmanWorkstation service after modifying network share connections. It also executes PowerShell and Active Directory commands to restart services and enumerate domain computers, and supports --kill-cluster to terminate VM clusters and --spread-vcenter to propagate in vCenter/ESXi using provided credentials and binaries.

T1569.002 - System Services: Service Execution
The new Agenda Rust variants embed PsExec to perform remote service execution. When run with the -propagate or --spread arguments, the malware drops PsExec into the %UserTemp% directory and uses it to execute the malware on remote hosts.

T1569.002 - System Services: Service Execution
The ransomware creates a TrueSightKiller service with the name “truesight” or starts it if it already exists. It also drops the Zemana Anti-Malware driver with a randomized name under %System%\drivers\, then creates a corresponding service entry in HKLM\SYSTEM\CurrentControlSet\Services to load the Spyboy driver.

T1129 - Shared Modules
It uses TrueSightKiller (Truesight.sys), and the RogueKiller Antirootkit Driver, which are both part of Adlice’s product suite.

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The ransomware creates a runonce autostart registry entry.

T1543.003 - Create or Modify System Process: Create or Modify System Process: Windows Service
It modifies and disables the VSS service using wmic and net commands to prevent shadow copy creation.

T1547.0001 - Boot or Logon Autostart Execution: Registry Run Keys/ Startup Folder
It modifies the ImagePath value in registry to ensure the executable file rush persistence-as-a-service (PaaS) upon system startup.

T1053 - Scheduled Task/Job
In specific campaigns, it has been observed to install a scheduled task named veeamupdate to execute the ransomware binary once it has compromised the machine.

T1134.001 - Access Token Manipulation: Token Impersonation/Theft
The ransomware parses accounts from configuration, attempts to log in, and uses the obtained user token to create a process via CreateProcessAsUser with the -alter {port number} argument.

T1055 - Process Injection
The ransomware then drops a patched DLL (pwndll.dll) in the Public folder and injects it into svchost.exe to enable continuous execution of the ransomware binary.

T1484.001 - Domain or Tenant Policy Modification: Group Policy Modification
In specific campaigns, it has been observed to use an endpoint hostname as the domain controller name in administrative shares and applies malicious GPO modifications to enable additional malicious behaviors.

T1078 - Valid Accounts: Local Accounts
In specific campaigns, it has been observed to create a backdoor administrative account named “Supportt” to maintain persistent elevated access using net user and net localgroup commands.

T1098 - Account Manipulation
In specific campaigns, it has been observed to reset the legitimate Administrator account password to maintain control and block legitimate administrators from regaining access using net user Administrator *****.

T1562 - Impair Defenses
The Agenda ransomware terminates antivirus-related services and processes to evade detection and protection. It also continuously scans running processes and sends termination commands to the eskle.sys driver via DeviceIoControl, specifying the target process name to terminate.

T1562.001 - Impair Defenses: Disable or Modify Tools
It disables User Account Control (UAC), preventing prompts for administrative rights and reducing system protection.

T1480 - Execution Guardrails
It requires a password key validated against a stored hash before proceeding with its routine.

T1070.001 - Indicator Removal: Clear Windows Event Logs
It executes commands via wevtutil and PowerShell to clear all Windows event logs, removing forensic traces.

T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
It executes fsutil commands to modify symlink evaluation settings, redirecting file system access to alternate locations on compromised networks.

T1562.009 - Impair Defenses: Safe Mode Boot
It adds a process to restart the system in Safe Mode with networking using bcdedit /set {current} safeboot network when executed with the -safe argument.

T1070.004 - Indicator Removal: File Deletion
It deletes itself after execution using cmd /C timeout /T 5 & Del, unless run with --no-delete. The Agenda ransomware version that was observed in February 2024 avoids self-deletion when executed with --no-destruct.

T1497.001 - Virtualization/Sandbox Evasion: System Checks
It performs CPUID checks to identify its environment, and it can terminate VMs unless run with --no-vm and detect sandbox environments unless run with --no-sandbox. It also enumerates registry subkeys under System\CurrentControlSet\Enum\IDE and System\CurrentControlSet\Enum\SCSI to detect virtualization strings and exits. It also checks if Sbiedll module is loaded in memory.

T1134.005 - Access Token Manipulation: SID- History Injection
When executed with --escalated --parent-sid {SID}, it can run under the context of the specified SID.

T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
When executed with --timer, it delays execution by the specified time.

T1564 - Hide Artifacts
The Agenda ransomware Rust variant sampled in February 2024 modifies the VMware PowerCLI module in its propagation script to suppress error prompts during execution failures.

T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
The Agenda ransomware Rust variant sampled in February 2024 uses chmod in its propagation script to modify permissions of the copied file and make it executable.

T1140 - Deobfuscate/Decode Files or Information
The Agenda ransomware Rust variant sampled in February 2024 uses a .NET loader that decrypts and dynamically loads an assembly, iterates through its types, and invokes an obfuscated method via reflection.

T1027.002 - Obfuscated Files or Information: Software Packing
A later iteration of the Agenda ransomware Rust variant sampled in November 2024 was observed to have been loaded via process injection by NETXLOADER, which is packed with .NET Reactor v6.

T1055.002 - Process Injection: Portable Executable Injection
The Agenda ransomware Rust variant sampled in November 2024 has a loader that allocates memory with VirtualAlloc, copies the payload, changes memory protection to PAGE_EXECUTE_READWRITE using VirtualProtect, spawns a thread via CreateThread to execute the payload, and waits for termination using WaitForSingleObject.

T1553.002 - Subvert Trust Controls: Code Signing
The Agenda ransomware uses KAPROCHANDLER in a signed driver to delete files and terminate processes associated with antivirus products.

T1055 - Process Injection: Thread Local Storage
It also uses PuTTY (disguised as a legitimate application or renamed to mimic system processes) to hide malicious activities in plain sight. It also leverages Thread Local Storage (TLS) callbacks to stealthily execute malicious payloads.

T1081 - Credentials in Files
It extracts stored usernames and passwords from the Veeam backup database by querying the Credentials table using SELECT [user_name], [password] FROM [VeeamBackup].[dbo].[Credentials].

T1057 - Process Discovery
The Agenda ransomware discovers specific processes for termination. It also collects system details including OS type (Linux, Nutanix, VMKernel, FreeBSD, ESXi, Unknown), CPU count, OS version, vendor ID, processor information, and memory information.

T1135 - Network Share Discovery
It enumerates network share using NetShareEnum for its network encryption.

T1082 - System Information Discovery
It collects system details including OS type (Linux, VMKernel, FreeBSD, ESXi, Unknown), CPU count, OS version, vendor ID, processor information, and memory information. It also executes commands to enumerate installed products on the affected system.

T1083 - File and Directory Discovery
It enumerates files on the system to identify candidates for encryption and avoids encrypting files with specific strings and extensions.

T1033 - System Owner/User Discovery
It obtains a list of Active Directory computers and copies itself to them using PowerShell commands. It also retrieves user group details via whoami /groups and listed active sessions using query session.

T1087.001 - Account Discovery: Local Account
The Agenda ransomware Rust variant sampled in February 2024 uses its PowerShell propagation script to enumerate ESXi hosts on the target machine.

T1087 - Account Discovery Domain Account
Older Agenda campaigns have been observed to use PC Hunter and net group commands to gather Domain and Enterprise Admin group information.

T1087.002 - Account Discovery: Domain Account
It gathers members of the Domain Admins and Enterprise Admins groups using net group commands.

T1018 - Remote System Discovery
It discovers remote systems, particularly domain controllers, and lists all domain controllers in the specified domain using the nltest command.

T1049 - System Network Connections Discovery
It uses various tools (such as WannaMine, PC Hunter, and YDArkPass) to perform port scanning, list TCP connections, check processes on ports 80 and 14444, and view current network connections.

T1046 - Network Service Discovery
It uses the HRSword tool to enumerate network shares via the NetShareEnum API for its network encryption routine.

T1010 - Application Window Discovery
It uses SmokeLoader to terminate specific processes by identifying their window class names.

T1021 - Remote Services Remote Desktop Protocol
The Agenda ransomware enables remote desktop connections by modifying the registry via the reg add command. It also enables remote desktop connections by modifying firewall settings with netsh and altering registry keys to allow RDP sessions. It writes programs to the network share and execute commands on remote systems via PsExec, and uses Cobalt Strike to deploy additional payloads via SMB and Windows Admin Shares for lateral movement.

T1021 - Remote Services SMB/Windows Admin Shares
It utilizes administrative shares to distribute malware across network endpoints.

T1021.004 - Remote Services: SSH
It enables SSH for file transfer, establishes an SSH session, uploads and executes the payload on the target host, and then disconnects. It then uses PuTTY to establish SSH connections for lateral movement across compromised networks, leveraging legitimate SSH credentials obtained through credential dumping or phishing.

T1567.002 - Exfiltration to Cloud Storage
Older Agenda ransomware campaigns were observed to use the cloud sync service MEGAsync to exfiltrate files from the client to a remote cloud server. The ransomware sends the gathered information via HTTP POST.

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
The Agenda ransomware uses WinSCP to exfiltrate files from the victim environment. It also uses the s5cmd tool to selectively exfiltrate sensitive documents, emails, and database files to cloud object storage using authenticated credentials.

T1041 - Exfiltration Over C2 Channel
It uses Coroxy/SystemBC to retrieve the victim’s username using GetUserNameExA, encrypts it with RC4 to conceal it during transmission, and sends it to a C&C server as part of initial registration.

T1071 - Application Layer Protocol: Web Protocols
It communicates with its C&C servers using direct TCP connections, proxy channels, and HTTP/HTTPS (Coroxy/SystemBC, SmokeLoader, Mongoose Web Server). It also abuses MeshAgent to use WebSocket over HTTPS (wss://) to connect to the MeshCentral C&C server (agent.ashx).

T1090 - Proxy: External Proxy
It uses Coroxy/SystemBC to establish a proxy channel to relay encrypted traffic and signals the C&C server when the session ends.

T1105 - Ingress Tool Transfer
It receives and executes various payloads from the attacker, with execution behavior depending on the payload type. It transfers and executes Linux ransomware binaries on a Windows host by abusing MeshAgent.

T1188 - Multi-hop Proxy
It uses Tor to route its C&C communications.

T1219 - Remote Access Tools
It uses legitimate remote access tools such as Remotely and MeshCentral to maintain persistent access and control over compromised systems.

T1490 - Inhibit System Recovery
It deletes shadow copies using vssadmin delete shadows /all /quiet. Newer Agenda ransomware Rust versions overwrite deleted data with cipher /w:{Drive Letter}:\.

T1486 - Data Encrypted for Impact
Early Agenda ransomware samples supported intermittent encryption with -n, -p, fast, skip, and step flags in configuration. The version sampled in June 2024 skips mounted shares with no-mounted and avoid prioritizing files with no-priority.

Agenda ransomware generates an AES-256 encryption key and IV using rand_read(), encrypts files with AES-256, then encrypts the key with RSA-2048 using an embedded public key. It also supports intermittent encryption based on passed arguments and flags.

The Agenda ransomware Linux variant uses RSA and AES for file encryption, supports multi-threading, and applies intermittent encryption based on configured step size.

T1489 - Service Stop
It terminates and disables services.

T1491.001 - Defacement: Internal Defacement
It changes the wallpaper after execution by modifying the registry and modifies the motd file to display the ransom note upon user login (as shown in the previous section).

T1531 - Account Access Removal
The Agenda ransomware Rust Variant changes the root password of accessed vCenter and ESXi hosts to the ransomware execution password. Its version sampled in June 2024 can remove user access by modifying passwords when executed with --safe.

T1561.001 - Disk Wipe: Disk Content Wipe
It deletes VMFS-5 and VMFS-6 virtual disks on ESXi devices and removes snapshots when running in a virtual machine.

T1496 - Resource Hijacking
Early Agenda campaigns were observed downloading coinminer files.