The extortion of Agenda is connected with the user under the nickname QILIN and is distributed according to the RAAS scheme (extortion software as a service). Initially, the harm was written on Golang and was used in a number of attacks aimed at critically important infrastructure, enterprises and IT companies in different countries.
As experts from Trend Micro say, the Agenda Rust version offers intermittent encryption as an additional and customizable parameter. 3 possible partial encryption mode:
skip -step [skip: n, stp: y] – encrypt every Y MB file, missing N MB;
fast [f: n] – encrypt the first N MB file;
percent [n: n; P: p] – encrypt every n MB of the file, skipping P MB, where P is P% of the total file size.
Analysis of the binary file of the Mount Program showed that the encrypted files receive an extension “MMXREVIXLV”, after which a note about the redemption is placed in each directory.
In addition, the Agenda Rust version can complete the Appinfo process and disconnect user Account Control (UAC), which helps to mitigate the effects of malware, requiring the administrator’s right to launch the program.