Ransomware, Breach, Content, Content

New Ransomware Variant, Written In Rust, Hitting Critical Infrastructure Companies

A new ransomware group dubbed Agenda (aka Qilin) has started using Rust, a cross-platform language that makes it easier to customize malware to Windows, Linux and other operating systems, Trend Micro reported in a new blog post.

Rust Goes Wild

Ransomware-as-a-service crews such as BlackCat, Hive and RansomExx have developed their own versions of their ransomware in Rust. Trend Micro said its researchers had recently found in the wild a sample of the Agenda ransomware written in Rust language and detected as Ransom.Win32.AGENDA.THIAFBB.

As Trend Micro wrote:

“The Agenda ransomware is also known to deploy customized ransomware for each victim, and we have seen that its Rust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege escalation.”

Trend Micro said Agenda has posted a number of companies on its leak site, claiming they had breached their servers and threatened to post their data. Agenda’s targets appear to be critical infrastructure facilities in manufacturing and IT located in a variety of countries, with an estimated revenue of some $550 million, the security provider’s researchers said.

An earlier version of the Agenda ransomware, written in Go, targeted the healthcare and education sectors in Thailand and Indonesia.

"At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware," the researchers said.

Rust Tactics Examined

The Rust variant has also been seen using intermittent encryption, a tactic used by threat actors for faster encryption and detection evasion, Trend Micro said.

According to Trend Micro:

“The actors customized previous ransomware binaries for the intended victim through the use of confidential information such as leaked accounts and unique company IDs as the appended file extension."

The tactic, the researchers said, is “becoming more popular” among ransomware actors.

Trend Micro added:

“Threat actors continue to favor ransomware as their tool of choice for conducting their operations, reiterating the call for enterprises and organizations to rely on a multilayered solution to secure data."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.