A new piece of ransomware targeting healthcare and education organisations has been detected in South Africa. It's been known to demand a ransom of up to $800,000 or R13.6 million, according to cyber security software company Trend Micro.

Ransomware is a type of malware that prevents or limits users from accessing their system until a ransom is paid. Incidents of ransomware attacks in South Africa have increased over the past year, with cyber criminals even targeting government organisations like the department of justice and constitutional development and state-owned enterprises like Transnet.

A new piece of ransomware – named "Agenda" – was recently identified by Trend Micro following an attack on one of its customers. Its name was identified through posts to the dark web and corroborated by ransom notes. This led Trend Micro to start investigating the ransomware's origins, methods, and reach.

"Agenda" has been detected in Indonesia, Saudi Arabia, Thailand, and South Africa.

"Every ransomware sample was customised for the intended victim," noted Trend Micro in a statement on its investigation's outcomes issued on 25 August.

"Our investigation showed that the samples had leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files."

This specific piece of ransomware is particularly dangerous as it can reboot systems in safe mode, stop many server-specific processes and services, and has multiple modes to run. All samples collected by Trend Micro were 64-bit Windows PE (Portable Executable) files written in Go, and they were aimed at Windows-based systems.

"Agenda" terminates antivirus-related processes, changes the default user's password, and, while encrypting data, enables automatic login with the new login credentials. This ransomware also compromises an entire network and its shared drivers.

"We believe that Qilin [the username associated with posts on the dark web] or the 'Agenda' ransomware group offers affiliates options to customise configurable binary payloads for each victim, including details such as company ID, RSA key, and processes and services to kill before the data encryption," explained Trend Micro.

"Also, the ransom amount requested is different per company, ranging from $50,000 [R851,000] to $800,000 [R13.6 million]."

Screenshots of the ransom negotiations, published by Trend Micro and timestamped as early as July 2022, show Qilin demanding $200,000 [R3.4 million] to unlock the victim's system.

"Ransomware continues to evolve, developing more sophisticated methods and techniques to trap organisations. Our investigation shows how the new targeted ransomware 'Agenda' is written in the Go language, making it harder to detect and analyse," said Trend Micro.

"This ransomware has techniques for evading detection by taking advantage of the 'safe mode' feature of a device to proceed with its encryption routine unnoticed. The ransomware also takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful. It also terminates numerous processes and services…"

To protect a system against "Agenda" and other forms of ransomware, Trend Micro recommends enabling multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network and using the 3-2-1 rule when backing up important files, which involves creating three backup copies on two different file formats, with one of the copies stored in a separate location.