Agenda Ransomware Evolves, Hits Critical Infrastructure

Agenda (Qilin) Ransomware Abuses Legitimate Tools in Attacks on Critical Infrastructure

HIGH
October 24, 2025
5m read
RansomwareThreat ActorIndustrial Control Systems

Related Entities

Threat Actors

Agenda Qilin

Organizations

Trend Micro

MITRE ATT&CK Techniques

T1078Defense Evasion

Valid Accounts

T1219Command and Control

Remote Access Software

T1562.001Defense Evasion

Disable or Modify Tools

T1486Impact

Data Encrypted for Impact

T1490Impact

Inhibit System Recovery

T1574.006Persistence

Dynamic-link Library Hijacking

Full Report

Executive Summary

The Agenda ransomware group, which also operates under the alias Qilin, has significantly evolved its tactics to conduct highly effective attacks against critical infrastructure. Research from Trend Micro reveals the group is now using a sophisticated cross-platform attack methodology, abusing legitimate remote access and backup tools to remain undetected. Key TTPs include deploying a Linux ransomware variant on Windows systems, using Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software, and stealing backup credentials to prevent recovery. The Agenda RaaS operation has impacted nearly 600 victims across 58 countries since January 2025, with a strong focus on manufacturing, technology, and healthcare sectors in developed nations.

Threat Overview

  • Threat Actor: Agenda (also known as Qilin), a Ransomware-as-a-Service (RaaS) group.
  • Malware: Agenda Ransomware, with variants for both Windows and Linux.
  • Targets: A strong focus on critical infrastructure and high-value sectors, including manufacturing, technology, financial services, and healthcare. The majority of victims are in the U.S., Canada, and the U.K.
  • Initial Access: Often gained through social engineering, using phishing emails with fake CAPTCHA pages to deliver information stealers that harvest credentials and session tokens.

Technical Analysis

The Agenda group's updated tactics demonstrate a focus on stealth and defense evasion:

  1. Cross-Platform Attack: A key innovation is their use of a Linux-based ransomware binary on Windows hosts. They achieve this by leveraging legitimate remote management and file transfer tools, allowing them to bypass many Windows-centric EDR and antivirus solutions. This is a form of T1219 - Remote Access Software.
  2. Defense Evasion (BYOVD): The group uses Bring Your Own Vulnerable Driver attacks (T1068 - Exploitation for Privilege Escalation) to disable or terminate endpoint security products. By exploiting a known vulnerability in a legitimate, signed driver, they can execute code with kernel-level privileges to kill antivirus processes.
  3. Inhibit System Recovery: Before deploying ransomware, the attackers actively hunt for and steal credentials for backup systems (T1490 - Inhibit System Recovery). This allows them to disable or delete backups, increasing the pressure on the victim to pay the ransom.
  4. Valid Accounts: The use of information stealers in the initial access phase provides the attackers with legitimate credentials (T1078 - Valid Accounts), which they use to blend in with normal network traffic and move laterally.

Impact Assessment

The impact of an Agenda ransomware attack is severe, particularly for critical infrastructure operators:

  • Operational Disruption: Encryption of critical systems in sectors like manufacturing or healthcare can lead to a complete halt in operations, with potential public safety consequences.
  • Data Breach and Double Extortion: The group exfiltrates sensitive data before encryption and threatens to leak it on their dark web site, adding a layer of public and regulatory pressure.
  • High Financial Costs: Victims face costs from ransom payments, incident response, system restoration, and lost revenue.
  • Difficult Recovery: By actively targeting backups, the group makes recovery from an attack significantly more difficult, lengthy, and expensive.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source reports.

Detection & Response

  • Monitor for Legitimate Tool Abuse: Scrutinize the usage of remote access tools (e.g., RDP, VNC, AnyDesk). Alert on connections from unusual sources or at odd times. The execution of a Linux binary on a Windows system (e.g., via WSL) is a major red flag. This aligns with D3FEND's Process Analysis.
  • Driver Load Monitoring: Monitor for the loading of known vulnerable drivers. EDR solutions and system monitoring tools can be configured to alert when a blacklisted driver is loaded into the kernel.
  • Backup System Auditing: Treat your backup infrastructure as a critical security asset. Monitor access logs for backup servers and applications for any anomalous activity, especially credential access or deletion attempts.

Mitigation

  • Secure Remote Access: Harden all remote access solutions. Enforce strong, unique passwords and mandate the use of MFA. Restrict access to only authorized users and source IP addresses.
  • Harden Backup Infrastructure: Isolate backup servers from the primary network. Use immutable backups and the 3-2-1 rule (3 copies, 2 different media, 1 offsite). Ensure that credentials used for backup systems are not shared with domain administrator accounts.
  • Endpoint Security: Deploy an EDR solution capable of detecting and blocking BYOVD techniques and suspicious process behavior. Use application control to prevent the execution of unauthorized binaries.
  • User Training: Since initial access often relies on social engineering, continuous user training on identifying phishing is essential.

Timeline of Events

1
October 24, 2025
This article was published

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Enforce MFA on all remote access tools and privileged accounts to prevent attackers from using stolen credentials.

Mapped D3FEND Techniques:

D3-MFA

Execution Prevention

M1038enterprise

Use application control and driver blocklisting to prevent the execution of unauthorized binaries and the loading of known vulnerable drivers used in BYOVD attacks.

Mapped D3FEND Techniques:

D3-DLICD3-EALD3-EDLD3-PSEP

Network Segmentation

M1030enterprise

Isolate critical systems and backup infrastructure in separate network segments to limit the blast radius of a ransomware attack.

Mapped D3FEND Techniques:

D3-BDID3-ETD3-ISVAD3-ITF

D3FEND Defensive Countermeasures

Driver Load Integrity Checking

D3-DLICMaps to MITREM1038
D3FEND

To counter the Agenda group's use of Bring Your Own Vulnerable Driver (BYOVD) attacks, organizations must implement robust driver integrity checking. This can be achieved using modern EDR solutions and Windows Defender Application Control (WDAC). Create a policy that explicitly blocks the loading of known vulnerable drivers. Security vendors and community projects maintain lists of these drivers. By deploying a driver blocklist, you can prevent the attacker from loading the vulnerable driver they need to gain kernel-level privileges and disable your security tools. This is a proactive hardening measure that directly neutralizes one of Agenda's most dangerous TTPs.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

The Agenda group's tactic of running a Linux ransomware binary on a Windows host is highly anomalous and detectable with proper process analysis. Security teams should configure their EDR/SIEM to generate a high-priority alert for any execution of the Windows Subsystem for Linux (wsl.exe) on critical servers, especially those that have no legitimate business reason to run Linux binaries. Furthermore, monitor for legitimate remote management tools (like AnyDesk, TeamViewer) being used to launch suspicious processes or transfer executables. Baselining normal tool usage and alerting on deviations is key to spotting this abuse of legitimate software.

Credential Hardening

D3-CHMaps to MITREM1043
D3FEND

To mitigate the threat of attackers stealing and using backup credentials, organizations must treat backup infrastructure with the same rigor as their primary domain controllers. Backup administrator accounts must be unique, not shared with domain admin accounts, and protected with MFA. The backup servers themselves should be on an isolated network segment, with highly restrictive firewall rules allowing access only from specific management consoles. By creating a separate credential and administrative tier for the backup environment, you can prevent an attacker who has compromised the primary domain from easily pivoting to and destroying your recovery capabilities.

Sources & References

Agenda ransomware abusing remote access, backup tools to escalate attacks on critical infrastructure in 2025
Industrial Cyber (industrialcyber.co) October 24, 2025
Trend Micro
Trend Micro (trendmicro.com) October 24, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Agenda RansomwareQilinRaaSBYOVDCritical Infrastructure

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next