Mohamed Fahmy, Nathaniel Gregory Ragasa, Earle Maui Earnshaw, Bahaa Yamany, Jeffrey Francis Bonaobra, and Jay Yaneza write:
We recently discovered a new piece of targeted ransomware that was created in the Go programming language and that explicitly targeted one of our customers. This was evidenced by the specific email addresses and credentials the ransomware used. Malware written in the Go language (aka Golang) has become common among threat actors. One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making security analysis much harder.
Our investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on dark web posts by a user named “Qilin” (who seems to be connected to the ransomware distributors) and through ransom notes, the ransomware is called “Agenda.”
Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run. The samples of the ransomware that we collected were customized for each victim, and they included unique company IDs and leaked account details.
Read more at Trend Micro.