Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script

Since its discovery in 2022, the Agenda Ransomware group, also known as Qilin, has remained active and continually evolved. Trend Micro, tracking it as Water Galura, reports ongoing global infections with top targets including the US, Argentina, Australia, and Thailand, spanning various industries like finance and law. Recent data from March 2024 indicates an increase in Agenda ransomware detections compared to the previous month, suggesting heightened activity or broader targeting by the operators.

The ransomware has undergone updates, particularly in its Rust variant, utilizing Remote Monitoring and Management (RMM) tools and Cobalt Strike for deployment. It propagates via PsExec, SecureShell, and exploits vulnerable SYS drivers for evasion. Notably, Agenda now incorporates a custom PowerShell script to propagate to VMware vCenter and ESXi servers, potentially impacting entire virtual infrastructures.

Security Officer Comments:
The PowerShell script, executed in-memory, prompts users for vCenter or ESXi credentials and uploads the ransomware payload, changing ESXi host passwords to prevent victim access. It leverages various evasion techniques, including BYOVD (Bring Your Own Vulnerable Driver), making detection challenging. Additionally, Agenda has added features to print ransom notes on connected printers and terminate VM clusters.

Suggested Corrections:
To defend against Agenda and similar threats, organizations should restrict administrative rights, maintain updated security measures, regularly back up data, and educate users on social engineering risks.