Full Report
Researchers observed the Agenda Ransomware group, identified as Qilin or Water Galura, has been spreading through VMware vCenter and ESXi servers. The group has been actively evolving and targeting entities globally, particularly in the US, Argentina, Australia, and Thailand, ...
Analysis Summary
# Threat Actor: Agenda Ransomware Group
## Attribution & Identity
**Identification:** Agenda Ransomware group.
**Known Aliases and Associated Groups:** Qilin, Water Galura.
**Historical Activities and Campaigns:** Active since its inception in 2022, with a significant uptick in activity observed since December 2023.
## Activity Summary
The Agenda Ransomware group is actively evolving and targeting entities globally. Recent activity highlights a focus on spreading through compromised VMware vCenter and ESXi servers using a custom PowerShell script for novel deployment and lateral movement within virtual infrastructures. The group is deploying updated versions of its ransomware, including a Rust variant.
## Tactics, Techniques & Procedures
- **Initial Access:** Unknown.
- **Execution/Persistence:** Leveraging Bring Your Own Vulnerable Driver (BYOVD) strategy to evade defenses.
- **Lateral Movement/Defense Evasion:** Utilizing Cobalt Strike, PsExec, and SecureShell for movement. Exploiting vulnerable SYS drivers.
- **Unique TTP:** Novel approach spreading through VMware vCenter and ESXi via a custom PowerShell script.
- **Other TTPs:** Observed techniques include "Bring Your Own Vulnerable Driver" (Corresponding concept in MITRE ATT&CK is often integrated into Defense Evasion/Privilege Escalation, e.g., T1212 if exploiting a known vulnerability in a driver, or general evasion tactics).
- **Operational Tactic:** Capability to print ransom notes directly through connected printers.
## Targeting
- **Sectors:** Finance, Law sectors.
- **Geography:** US, Argentina, Australia, and Thailand globally.
- **Targeted Technologies:** VMware vCenter Server, ESXi Server, S3 Bucket.
- **Victims:** No specific organizations mentioned.
## Tools & Infrastructure
- **Malware Families Used:** Agenda Ransomware (including a Rust variant).
- **Observed Tools:** Cobalt Strike, PsExec, SecureShell, Remote Monitoring and Management (RMM) tools.
- **Infrastructure:** Not explicitly detailed in terms of C2/domains, but utilizes custom PowerShell scripts for propagation.
## Implications
The group poses a severe threat to virtual infrastructures due to its specific focus on compromising VMware ESXi and vCenter environments. The adoption of a Rust variant and advanced evasion techniques like BYOVD suggest continued technical evolution and potentially increased impact against heavily virtualized environments.
## Mitigations
- Patch and secure VMware vCenter and ESXi servers against known vulnerabilities.
- Implement robust endpoint protection capable of detecting or preventing BYOVD activities and exploitation of vulnerable drivers.
- Monitor outbound traffic associated with Cobalt Strike and PsExec usage for indicators of lateral movement.
- Review and secure access controls for RMM tools utilized by the organization.