{
	"id": "d8c08997-8adc-446c-b27e-b65398ff83bc",
	"created_at": "2026-04-06T00:17:09.518811Z",
	"updated_at": "2026-04-10T03:21:29.006266Z",
	"deleted_at": null,
	"sha1_hash": "9b329e584527291c1bbaa0264b54f891e480eec7",
	"title": "Agenda Ransomware Uses Rust to Target More Vital Industries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3382632,
	"plain_text": "Agenda Ransomware Uses Rust to Target More Vital Industries\r\nPublished: 2022-12-16 · Archived: 2026-04-05 13:05:10 UTC\r\nRansomware\r\nThis year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including\r\nAgenda. Agenda's Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the\r\nRust variant works.\r\nBy: Nathaniel Morales, Ivan Nicole Chavez, Nathaniel Gregory Ragasa, Don Ovid Ladores, Jeffrey Francis Bonaobra,\r\nMonte de Jesus Dec 16, 2022 Read time: 5 min (1239 words)\r\nThis year, ransomware-as-a-service (RaaS) groups like BlackCatnews article, Hivenews article, and RansomExxopen\r\non a new tab have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to\r\ntailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also\r\nknown as Qilin), another ransomware group that has started using this language.\r\nAccording to our observations in the past month, the Agenda ransomware’s activities included posting  numerous\r\ncompanies open on a new tabon its leak site. The threat actors not only claimed that they were able to breach the\r\nservers of these companies but also threatened to publish their files. The companies that the ransomware group posts on\r\nits leak site are located in different countries and belong mostly in the manufacturing and IT industries, with a\r\ncombined revenueopen on a new tab that surpasses US$550 million.\r\nRecently, we found a sample of the Agenda ransomware written in Rust language and detected as\r\nRansom.Win32.AGENDA.THIAFBB. Notably, the same ransomware, originally written in Go language, was known\r\nfor targeting healthcare and education sectors in countries like Thailand and Indonesia. The actors customized previous\r\nransomware binaries for the intended victim through the use of confidential information such as leaked accounts and\r\nunique company IDs as the appended file extension. The Rust variant has also been seen using intermittent encryption,\r\none of the emerging tactics that threat actors use today for faster encryption and detection evasion.\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 1 of 11\n\nFigure 1. Submission details of the binary in VirusTotal, including the submission date and region it was\r\nuploaded.\r\nFigure 2. Strings viewed on BinText showing Rust modules/functions used by the binary\r\nBlackbox analysis\r\nWhen executed, the Rust binary prompts the following error requiring a password to be passed as an argument. This\r\ncommand-line feature is similar to the Agenda ransomware binaries written in Golang.\r\nFigure 3. Error prompt when the sample was executed\r\nUpon execution of the sample with “—password” as its parameter in conjunction with a dummy password\r\n“AgendaPass,” the ransomware sample runs its malicious routine starting with the termination of various processes and\r\nservices.\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 2 of 11\n\nFigure 4. Termination of applications and services\r\nSpecific to the sample we analyzed, the ransomware appends the extension \"MmXReVIxLV” to encrypted files. It also\r\ndisplays activity logs on the command prompt, including the file it has encrypted and the elapsed time.\r\nFigure 5. Examples of encrypted files\r\nFigure 6. Logs in encrypting files\r\nThe ransomware will then proceed to drop its ransom note on every directory it encrypts. As observed in its ransom\r\nnote, the password used to execute the ransomware will also be used as the password for logging in to the support chat\r\nsite of the ransomware group.\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 3 of 11\n\nFigure 7. Agenda ransom note\r\nAgenda ransomware analysis\r\nUnlike Agenda’s Golang variant, which accepts 10 arguments, its Rust variant only accepts three arguments:\r\nArgument Description\r\n-password\r\n{string}\r\nDefines the password to enter landing\r\n-ips {IP address} Allows for providing IP addresses\r\n-paths\r\n{directory}\r\nDefines the path that parses directories; if this flag is used and left empty, all directories will\r\nbe scanned \r\nTable 1. Arguments used by the Agenda ransomware’s Rust variant\r\nThe Rust variant also contains hard-coded configuration inside its binaries like the earlier samples compiled in Golang.\r\nFigure 8. Function inside the binary containing the configuration\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 4 of 11\n\nFigure 9. Strings containing the configuration\r\nIt also added the -n, -p, fast, skip, and step flags on its configurations, which are not present in the Golang variant\r\nconfiguration and only used via command-line argument. Upon further analysis, we have learned that these flags are\r\nused for intermittent encryption. This tactic enables the ransomware to encrypt the victim’s files faster by partially\r\nencrypting the files depending on the values of the flags. This tactic is becoming more popular among ransomware\r\nactors as it lets them encrypt faster and avoid detections that heavily rely on read/write file operations.\r\nFlags Description\r\nfast Encrypts the first (N*0x200000h) of the file\r\nskip (N) – step (Y) Skip encryption for N bytes after encrypting Y bytes of the file\r\nn: {N} p: {P} Encrypt (N*0x200000h) of the file and skips p bytes (P - percentage of the file size)\r\nTable 2. Flags used for intermittent encryption\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 5 of 11\n\nFigure 10. Flags used for intermittent encryption\r\nFigure 11. Command-line arguments accepted by the Golang variant of the Agenda ransomware\r\nWe tried to mimic its encryption behavior using some of the flags present on its configuration. For this simulation, we\r\nused a dummy file filled with “A” as its content.\r\nFor fast mode:\r\nValue: 1\r\nFigure 12. Fast flag set to 1\r\nEncrypted bytes: 1 * 0x200000h, where 1 is the value set in the fast flag\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 6 of 11\n\nFigure 13. 0x200000h bytes encrypted\r\nFigure 14. flags set to n = 1; p = 1\r\nTotal size = 88,082,336 bytes\r\nBytes encrypted = 1 * 0x200000,h where 1 is the value set in the n flag\r\nBytes skipped = 880,818 bytes (1% of the whole file), where 1 is the value set in the p flag\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 7 of 11\n\nFigure 15. 0x200000h of bytes encrypted\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 8 of 11\n\nFigure 16. 880,818 bytes (equivalent to 1% of the file) encrypted\r\nAside from the additional flags used for different encryption modes, the Rust variant has included AppInfo to its roster\r\nof services to terminate. It disables User Account Control (UAC), a Windows feature that helps prevent malware from\r\nexecuting with administrative rights, resulting in the inability to run other applications with administrative privileges.\r\nFigure 17. Function used to stop service using parameter 0x01 equivalent to\r\nSERVICE_CONTROL_STOP\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 9 of 11\n\nFigure 18. Function used for disabling services using parameter 0x04 equivalent to\r\nSERVICE_DISABLED\r\nFigure 19. Unable to run an application with administrative rights after disabling AppInfo service\r\nThe Agenda ransomware is also known to deploy customized ransomware for each victim, and we have seen that its\r\nRust variants have an allocated space for adding accounts in their configuration to be used mostly for privilege\r\nescalation.\r\nFigure 20. Allocated accounts in the Rust variant configuration of the Agenda ransomware\r\nThe file extension to be appended on the encrypted files is hard-coded in its configuration.\r\nFigure 21. File extension to be appended\r\nUnlike the previous Golang variant, however, the threat actors did not include the credentials of the victim in the\r\nconfiguration of the Rust variant. This feature of the latter prevents other researchers not only from visiting the\r\nransomware’s chat support site but also accessing the threat actors’ conversations when a sample becomes available\r\nexternally. It also prevents unsolicited messages from other people besides the victim.\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 10 of 11\n\nFigure 22. The Agenda ransomware chat support site\r\nConclusion\r\nAn emerging ransomware family, Agenda has recently been targeting critical sectors such as healthcare and education\r\nindustries. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack\r\nsome features seen in the original binaries written in the Golang variant of the ransomware. Rust language is becoming\r\nmore popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.\r\nThreat actors continue to favor ransomware as their tool of choice for conducting their operations, reiterating the call\r\nfor enterprises and organizations to rely on a multilayered solution to secure data. Trend Micro Vision One™products\r\nprovides visibility, correlated detection, and behavior monitoring across multiple layers: email, endpoints, servers,\r\ncloud workloads to help enterprises and organizations protect their systems from different threats, including\r\nransomware.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection\r\ne90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 Ransom.Win32.AGENDA.THIAFBB\r\n55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1 Ransom.Win32.AGENDA.THIAHBB\r\n37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6 Ransom.Win32.AGENDA.THIAHBB\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nhttps://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html\r\nPage 11 of 11\n\nValue: 1 Figure 12. Fast flag set to 1  \nEncrypted bytes: 1 * 0x200000h, where 1 is the value set in the fast flag\n   Page 6 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html"
	],
	"report_names": [
		"agenda-ransomware-uses-rust-to-target-more-vital-industries.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434629,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b329e584527291c1bbaa0264b54f891e480eec7.pdf",
		"text": "https://archive.orkl.eu/9b329e584527291c1bbaa0264b54f891e480eec7.txt",
		"img": "https://archive.orkl.eu/9b329e584527291c1bbaa0264b54f891e480eec7.jpg"
	}
}