The Agenda ransomware group has been observed developing new malware using the Rust programming language and using it to breach several companies.
“The threat actors not only claimed that they were able to breach the servers of these companies but also threatened to publish their files,” wrote Trend Micro researchers, who recently discovered the new malicious campaign.
According to the advisory published today, the companies the ransomware group claimed to have breached on its leak site are located in different countries and mainly belong to the manufacturing and IT industries. They have a combined revenue of around $550m.
“Recently, we found a sample of the Agenda ransomware written in Rust language,” Trend Micro said, adding that the variant has also been seen using intermittent encryption tactics to deliver faster encryption and avoid detection more efficiently.
“Notably, the same ransomware, originally written in Go language, was known for targeting healthcare and education sectors in countries like Thailand and Indonesia,” the security researchers explained.
“The actors customized previous ransomware binaries for the intended victim through the use of confidential information such as leaked accounts and unique company IDs as the appended file extension.”
Unlike the previous Golang variant, however, Trend Micro said the Agenda ransomware group did not include the victim’s credentials in the Rust variant’s configuration.
“This feature of the latter prevents other researchers not only from visiting the ransomware’s chat support site but also accessing the threat actors’ conversations when a sample becomes available externally.”
The technique would also prevent unsolicited messages from other people besides the victim.
According to Trend Micro, the Agenda ransomware group is one of many slowly migrating its ransomware code to Rust.
“Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.”
The programming language is also being increasingly used by Google to increase the security of the Android OS.