Healthcare and education organizations in South Africa, Saudi Arabia, Indonesia, and Thailand are under attack from the new customizable Golang-based Agenda ransomware strain, The Hacker News reports.
Affiliates leveraging Agenda, which is being promoted by Qilin on the dark web, are being offered the capability to personalize binary payloads per victim, as well as decide on encryption extensions, terminable services and processes prior to encryption, and ransom notes, a Trend Micro study showed.
"Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," said researchers.
The report also found that Agenda exploits impacted devices' "safe mode" functionality to evade detection, as well as abuses local account credentials for ransomware binary execution.
Attackers could also use Agenda to compromise an entire network along with its drivers, with one attack against a public Citrix server exploited to facilitate ransomware deployment in less than two days, according to researchers.
New customizable Agenda ransomware examined
Healthcare and education organizations in South Africa, Saudi Arabia, Indonesia, and Thailand are under attack from the new customizable Golang-based Agenda ransomware strain, The Hacker News reports.
Attackers behind the scheme placed an ad on the LEGO website homepage that urged visitors to click a link that would "unlock secret rewards," which redirects to a third-party marketplace enabling purchases of the fraudulent LEGO token with Ethereum.
Threat actors who infiltrated the online store of 5.11 Tactical were able to exfiltrate information from individuals who shopped from July 12 to August 22, including their names and email addresses, as well as their payment card numbers, expiration dates, and security codes.