Agenda Ransomware Targets VMware ESXi Servers: How to Protect Your Data
The Agenda ransomware is an infamous strain of ransomware-as-a-service (RaaS) threat developed by a criminal group aiming for financial gain. In December 2023, Agenda ransomware hit Yanfeng, the Chinese automotive giant, and disrupted court services in Victoria, Australia. In early 2024, the same malware paralyzed city services in Hamilton, Canada.
The attacks using Agenda ransomware started attracting more attention in late 2023. This happened because the ransomware was improved to make it even more effective against VMware ESXi servers.
NAKIVO Backup & Replication helps you protect your VMware environment from ransomware infections and data loss through immutable backups, malware scans and air-gapped backups.
What is Agenda Ransomware?
Agenda ransomware, also known as Qilin ransomware, is malware distributed on a ransomware-as-a-service (RaaS) model. This means that the cybercriminals developing this ransomware provide affiliates who intend to conduct a cyberattack with this ransomware in exchange for a ransom share or other profit. Agenda’s sophistication, combined with the custom attacks adapted for each target, makes this strain especially dangerous. Additionally, this ransomware has advanced stealth and impersonation capabilities that hide it from antivirus and security monitoring solutions.
Agenda first appeared on the scene in 2022 with the attack on a leading IT organization in Australia. After that, the criminals seemed to pick their victims randomly, hitting organizations from industries such as law, real estate and finance. However, recent cases showed a change: the Agenda ransomware has targeted critical infrastructure and operational technology (OT) organizations more frequently.
The analysis of Agenda attack episodes shows the United States as the most attacked area. Other locations where cybercriminals are significantly active include Argentina, Thailand and Australia. CIS countries seem to be out of the group’s interest, based on a screenshot of an alleged Qilin “recruiter’s” post in Russian Group-IB found on an underground forum.
Agenda blocks the data on the target system with AES-256 encryption algorithms. RSA-2048 is used to encrypt the generated keys. When encryption is successful, file extensions change to a random format. The public decryption key for Agenda ransomware is currently not available.
How Agenda Ransomware Infects an ESXi Server
To deliver the Agenda binary into the target environment, cybercriminals mostly use phishing, particularly spear phishing tactics. Spear phishing is a social engineering technique whereby a malicious actor pretending to be a trusted person tricks an email recipient into giving out access credentials, downloading an attached file (folder) or clicking an infected link. Known attacks show that Agenda ransomware spreaders customize their strikes. They thoroughly pick their entry victim and the fake identity to build before executing a plan.
The enhanced version of Agenda ransomware is able to infect and spread to VMware vCenter and ESXi. The key component that triggers the ransomware attack here is a specialized PowerShell script delivered via either an RMM tool or Cobalt Strike after compromising access credentials. Upon script execution, the infected code continues spreading laterally, targeting VMware environments and ESXi hypervisors. With PowerShell repurposed to execute ransomware payloads, malicious actors can use the advanced capabilities of this tool to overrun standard cybersecurity measures.
After spreading across the virtual environment, Agenda blocks legitimate access to compromised ESXi hosts by altering the root passwords. Then, the malware uploads the malicious payload via SSH (Secure Shell).
The newest version of the Agenda ransomware has the functionalities of the previous iterations, including file path scanning, timing payload executions and using PsExec to spread across remote workloads, among other capabilities. However, it also has an upgraded list of commands that enable actions such as VMware cluster shutdown, privilege escalation and access token impersonation. Also, the possibility of printing ransom notes adds psychological pressure on victims.
By executing the ransomware commands via a shell, hackers can stay undetected because no files remain to shape a digital trail. Agenda ransomware can also use vulnerable SYS drivers to hide from security monitoring and antivirus scanning.
How to Protect ESXi Infrastructures and Data from Agenda Ransomware
Similar to some of the newest ransomware strains like ESXi Args, Agenda’s sophistication poses a challenge to the protection of virtual machines, ESXi hosts, VMware data and infrastructures. However, heeding the following recommendations can help you enhance the security of sensitive records and the resilience of your organization’s environment.
Educate Employees
Agenda ransomware, like other malware, can sneak into the IT environment via phishing or, specifically, spear phishing emails. This means that, like 95% of cyberattacks, cybercriminals bet on human error when injecting malicious code into your VMware environment. These numbers prove that employee education can be a strong data protection practice for an organization.
An employee who knows about cyberthreats and data security is more likely to suspect a phishing attempt and avoid clicking a malicious link. Additionally, vigilant users don’t usually download unknown attachments to their devices and don’t share access credentials via email. Lastly, in case such users accidentally take an action threatening IT security, they can quickly notify tech specialists for a faster reaction.
Set up infrastructure monitoring
The stealth capabilities of Agenda ransomware and some other malware can help keep the infection concealed till the very last moment. However, infrastructure monitoring tools can help your IT experts track the internal changes in resource utilization and network load, among other metrics. Unusual ESXI server activities, unexpected power consumption peaks or irregular network traffic can reveal threats that you should neutralize before the malicious code causes a disaster.
Deploy antivirus solutions
The ability of Agenda and other ESXi ransomware to remain hidden does not undermine the importance of antiviruses. Malicious actors can use other less sophisticated tools (traffic interceptors, keyloggers, trojans, etc.) during the attack to produce a breach and then inject their ransomware. Timely updated and active antiviruses can still keep track of your environment and alert you about such hacking tools.
Besides installing antivirus solutions on every ESXi server and virtual machine, consider implementing malware scanners in browsers and, especially, emails. This is how you can add a layer of protection against phishing, which is the main vector of Agenda ransomware attacks. Combined with educated and vigilant employees managing workloads, antivirus scanners can significantly reduce the probability of Agenda and other ransomware infecting your systems.
Regularly update software
Hackers can flexibly adjust their tactics to the specifics of targeted environments, using unpatched vulnerabilities within an organization’s protection system or IT supply chain. Software updates help you close backdoors in your infrastructure that attackers could otherwise exploit to intrude. Introducing regular update checks for your solutions limits the ways to bypass security, execute malicious commands and disrupt operations in your VMware environment.
Set multi-factor authentication
Since Agenda ransomware attacks include compromising access credentials to leverage PowerShell and SSH in particular, protecting them with the additional authentication layer can be effective. When an SMS code is required to log in to a workload, using stolen credentials is then insufficient to complete a breach.
Segment your IT environment
Network segmentation is a basic cybersecurity practice that can be useful when protecting data and workloads from malware. For instance, setting internal software or hardware firewalls can help you zone your infrastructure and prevent ransomware from encrypting certain data even after breaching through the external perimeter. You can also consider creating physical or logical air gaps to isolate mission-critical workloads and ensure production continuity.
Have ransomware-protected VMware backups
Having relevant data backups at hand may not be enough to protect your data and infrastructure from Agenda. VMware ESXi ransomware can target backups the same way it targets production machines and original data. When they encrypt, hackers can have more chances to receive their ransom even if they increase the demanded sums.
However, you can ensure backup data availability even if ransomware successfully reaches your backup storage. Modern VMware data protection solutions support backup immutability functionality. Making backups immutable protects them from alteration or deletion throughout the given period, which means ransomware can’t encrypt the data. In case of a ransomware infection, you can use such backups to restore data, workloads and entire infrastructures.
Conclusion
Agenda ransomware developed into a special threat for ESXi servers and VMware environments. After acquiring access credentials via spear phishing, hackers using this RaaS can leverage PowerShell commands and SSH to spread and execute malicious codes while remaining hidden.
To protect your ESXi hosts and VMware data from Agenda ransomware, consider educating employees about cyberthreats and security, setting a protection perimeter with monitoring and antivirus tools enabled and enabling multi-factor authentication. Also, you might want to segment your IT infrastructure to mitigate the consequences of a ransomware breach and ensure regular software updates to patch vulnerabilities. Lastly, form a last line of defense by implementing a data protection solution that enables backup immutability to ensure that data copies are recoverable even after a successful ransomware attack.
Download the NAKIVO Backup & Replication 15-day Free Trial to start protecting VMware workloads. Incremental backups, instant and flexible recovery, advanced ransomware protection and more. No capacity limitations and no credit card required.
