Ransom.Win32.AGENDA.YXDGDT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• cmd /C fsutil behavior set SymlinkEvaluation R2R:1 ← Enable remote to remote symbolic link
• cmd /C fsutil behavior set SymlinkEvaluation R2L:1 ← Enable remote to local symbolic link
• powershell -Command "\"{get-service LanmanWorkstation |Restart-Service -Force}\""
• cmd /C net use
• cmd /C sc config vss start=demand
• cmd /C net start vss
• cmd /C vssadmin.exe delete shadows /all /quiet ← Deletes shadow copies
• cmd /C sc config vss start=disabled
• cmd /C net stop vss
• cmd /C for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkConnections = 1

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\
LanmanServer\Parameters
MaxMpxCt = 65535

Process Termination

This Ransomware terminates the following services if found on the affected system:

• (.*?)sql(.*?)
• acronisagent
• acrsch2svc
• anagementservice
• backup
• backupexecagentaccelerator
• backupexecagentbrowser
• backupexecdivecimediaservice
• backupexecjobengine
• backupexecm
• backupexecrpcservice
• backupexecvssprovider
• ervice
• gxblr
• gxcimgr
• gxclmgrs
• gxcvd
• gxfwd
• gxmmm
• gxvss
• gxvsshwprov
• memtas
• mepocs
• msexchange
• msexchange\$
• mvarmor
• mvarmor64
• pdvfsservice
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• sap
• sap\$
• sapd\$
• saphostcontrol
• saphostexec
• sapservice
• sophos
• veeam
• veeamdeployments
• veeamnfssvc
• veeamtransportsvc
• vmms
• vsnap
• vss
• wsbexchange

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• avagent
• avscc
• bedbh
• ben
• benetns
• beserver
• cagservice
• cess
• cvd
• cvfwd
• cvmountd
• cvods
• dbeng50
• dbsnmp
• dellsystemde
• encsvc
• enterpriseclient
• excel
• firefox
• gien
• infopath
• isqlplussvc
• msac
• msaccess
• mspub
• mvdesktopservice
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• pvlsvr
• qbcfmonitorservice
• qbdbmgrn
• qbidpservice
• raw_agent_svc
• sap
• saphostexec
• saposcol
• sapstartsrv
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• teamviewer
• teamviewer_service
• tect
• thebat
• thunderbird
• tv_w32
• tv_x64
• veeamdeploymentsvc
• veeamnfssvc
• veeamtransportsvc
• visio
• vmms
• vmwp
• vsnapvss
• vxmon
• winword
• wordpad
• xfssvccon

Other Details

This Ransomware does the following:

• It enables privileges in its own access token.
• When the parameter, '-propagate' is used; it performs the following actions:
  • It adds the following folder:
    • %System Root%\{Random Characters}
  • It drops the following files:
    • %System Root%\{Random Characters}\PsExec.exe ← Legitimate Windows Application to execute the Agenda binary on remote machines within the network.
  • It adds the following processes:
    • cmd /C PowerShell.exe (Get-ADComputer -filter *).name ← Enumerate domain computers

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It accepts the following parameters:

• -ips ← Allows for providing IP addresses
• -password ← Required parameter to proceed to the landing page
• -paths ← Defines the path that parses directories; if this flag is used and left empty, all directories will be scanned.
• -propagate ← Propagate to remote machines
• -safe ← Restart in safe mode
• -debug ← Enables debug mode
• -timer ← Sets a time delay before execution
• -exclude ← For exclusion
• -no-proc
• -no-services
• -no-domain
• -no-network
• -no-wallpaper

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• #recycle
• autorun.inf
• autorun.ini
• boot.ini
• bootfont.bin
• bootfront.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files with the following strings in their file path:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• admin$
• all users
• appdata
• application data
• boot
• config.msi
• default
• google
• intel
• ipc$
• mozilla
• msocache
• netlogon
• perflogs
• program files
• program files (x86)
• programdata
• system volume information
• sysvol
• tor browser
• windows
• windows.old

It appends the following extension to the file name of the encrypted files:

• .hm-OG60Qdd

It drops the following file(s) as ransom note:

• {All Available Directories}\README-RECOVER-hm-OG60Qdd.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diapkg
• .dll
• .drv
• .exe
• .hlp
• .hm-OG60Qdd
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .pdb
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx