Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
A sophisticated Agenda ransomware attack was identified deploying a Linux variant on Windows systems, achieving cross-platform execution that makes detection significantly more challenging for enterprises. The operators used remote management tools for initial deployment and BYOVD (Bring Your Own Vulnerable Driver) techniques to disable security products. Running Linux ransomware on Windows through compatibility layers or virtualization represents an innovative evasion strategy that bypasses Windows-focused endpoint detection. The research provides detection strategies for this cross-platform execution technique.
Related Research
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
Agenda Ransomware Exploits MeshAgent and WSL for Cross-Platform Attacks
Thread on Agenda ransomware exploiting MeshAgent and Windows Subsystem for Linux (WSL) to deploy Linux payloads on Windows systems, raising the bar for cross-platform sophistication.
Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
First discovery of Play ransomware's Linux variant targeting ESXi, with infrastructure ties to Prolific Puma link-shortening service.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.