Researchers observed the Agenda Ransomware group, identified as Qilin or Water Galura, has been spreading through VMware vCenter and ESXi servers. The group has been actively evolving and targeting entities globally, particularly in the US, Argentina, Australia, and Thailand, with a notable focus on the finance and law sectors.
Since its inception in 2022, there has been a significant uptick in Agendas activities, especially from December 2023, indicating either an expansion in its operations or an increase in successful target penetrations. The group has been deploying updated versions of its ransomware, utilizing a Rust variant, and leveraging sophisticated methods for deployment and propagation, including Remote Monitoring and Management (RMM) tools, Cobalt Strike, PsExec, SecureShell, and exploiting vulnerable SYS drivers for evading defenses.
A notable evolution in its arsenal is the malware's enhanced capability for command execution and lateral movement, specifically its novel approach to spreading through VMware vCenter and ESXi servers via a custom PowerShell script, posing a severe threat to virtual infrastructures. Additionally, the ransomware demonstrates advanced defense evasion tactics, notably through the Bring Your Own Vulnerable Driver (BYOVD) strategy, utilizing various vulnerable drivers to bypass security measures. Amidst these technical advancements, Agenda ransomware now also includes the capability to print ransom notes directly through connected printers, marking a unique twist in its operational tactics.