Threat Research

Ransomware Roundup: Snatch, BianLian and Agenda

By Shunichi Imano and James Slaughter | September 02, 2022

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition covers the Snatch, Agenda, and BianLian ransomware families – all of which are written in the Go programming language (Golang).

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Snatch Ransomware

FortiGuard Labs recently came across a new variant of Snatch ransomware. This is unsurprising, as Snatch ransomware has reportedly been active since at least the end of 2018. The Snatch ransomware group made the news towards the end of 2021 when they claimed on their data leak site to have stolen information from a major automobile manufacturer they had compromised.

Snatch ransomware is one of the early adopters of the Go programming language as ransomware written in Go was far uncommon compared to today. Coincidentally, all other ransomware variants covered in this blog are written in Go.

Snatch ransomware is a file encryptor that came to be known for using a notable file extension, “.snake”, which it appends to encrypted files. However, other file extensions have been observed. The file names of its ransom note also differ from variant to variant.

The reported infection vector of Snatch ransomware is RDP (Remote Desktop Protocol) credential brute-forcing. Microsoft enabled an account lockout policy by default, starting with Windows 11 build 22528.1000, that locks user accounts for failed log-in attempts. That not only makes RDP brute-forcing harder but also any other password-guessing attacks.

The latest Snatch ransomware variant encrypts files on the victim’s machine and appends a “.gaqtfpr” extension to the affected files. It also drops a text file, “HOW TO RESTORE YOUR FILES.TXT”. This ransom note contains two contact email addresses and specific instructions victims must follow when sending emails to the attacker.

Figure 1. Ransom note from the latest Snatch ransomware variant

Figure 2. Files encrypted by the latest Snatch ransomware variant

BianLian Ransomware

BianLian is ransomware that recently started to add victims to its data leak site on Tor. As of this writing, the ransomware group has victimized at least 20 companies since June 2022. Assuming that the threat actor removes entries for victims who made a ransom payment, the actual number of BianLian ransomware victims could be higher.

Figure 3. List of victims claimed by BianLian ransomware

Each BianLian victim is tagged for their country and the industries they belong to. According to the available tags, its ransomware victims are at least in the US, UK, and Australia. Targeted industry sectors include healthcare, education, law firms, construction, media, pharmaceuticals, marketing, resort, and finance. 

Figure 4. Tags used by BianLian ransomware threat actor to classify the victims

A dedicated page is assigned to each victim. The information listed on those pages includes the description of the victim companies, names of CEOs or the company presidents, their personal income, the income, assets, and revenue of those companies, and what information is in the leaked documents.

Figure 5. One of the victim’s information posted on the BianLian ransomware’s data leak site

It is interesting to note that Colin Grady recently observed that leak sites operated by some ransomware threat actors went dark on August 26th, 2022. Some are still having intermittent connectivity issues. The list of these sites reportedly includes both BianLian and Snatch ransomware.

The threat actor also warns victims they have ten days to pay the ransom. Otherwise, stolen information will be posted on the ransomware group’s Tor site. To put additional pressure on the victim, the attacker claims that a link to the stolen information will be sent to the victim’s customers and business associates to damage the victim’s reputation. Victims are instructed to contact the threat actor using Tox or, alternatively, via email. Since the ransom fee and payment method are not on the ransom note, they will be discussed in negotiations with the threat actor.

Figure 6. Ransom note of BianLian ransomware

Figure 7. Contact information listed on BianLian’s data leak site

Figure 8. Files encrypted by BianLian ransomware

Files encrypted by BianLian ransomware have a “.bianlian” file extension.

Agenda Ransomware

Agenda is another Golang-based ransomware. It entered the already-crowded ransomware world in mid-June 2022. Based on relevant samples and their submission locations reported by VirusTotal, the ransomware has potentially infected targets in South Africa, Romania, Lithuania, India, Thailand, the US, Canada, and Indonesia.

The reported infection vector of Agenda ransomware is via logging in to public-facing servers using stolen credentials. The attacker then propagates through the victim’s network to compromise additional machines. Agenda ransomware is deployed to the compromised machines once the attacker gains access to a critical mass of devices on the network.

In an attempt to circumvent detection by AV solutions, the ransomware encrypts files in safe mode. This technique has been observed in other infamous ransomware families, such as REvil, BlackMatter, and AvosLocker. The file extension appended to encrypted files varies from variant to variant. For example, if a ransomware variant uses ".fortinet" as a file extension, "blog.docx" will be changed to "blog.fortinet". The name of its ransom note starts with the file extension it adds to the affected files, followed by “-RECOVER-README.txt”.

A threat actor called "Qilin" is said to be responsible for Agenda ransomware operations. “Qilin” may be referring to a mythical Chinese creature that is said to appear when a sovereign with a heart of benevolence is born.

Figure 9. The ransom note left by Agenda ransomware

Fortinet Protections

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

Snatch

FortiGuard Labs detects the latest Snatch ransomware variant described in this blog with the following AV signature:

  • W64/Filecoder.D083!tr.ransom

The following AV signatures detect known samples of Snatch ransomware variants:

  • W64/Snatch.A!tr.ransom
  • W32/Snatch.B!tr
  • W32/Snatch.7991!tr.ransom
  • W64/Snatch.BD11!tr.ransom
  • W32/Snatch.C09B!tr.ransom
  • W64/Ransom.A!tr
  • W32/Filecoder.A!tr.ransom
  • W32/Filecoder.NYH!tr
  • W32/Filecoder.NYH!tr.ransom
  • W32/Filecoder.NVR!tr.ransom
  • W32/Filecoder.74A0!tr.ransom
  • W64/Filecoder.D083!tr.ransom
  • W64/Filecoder.AA!tr.ransom
  • W32/Crypmod.ADEJ!tr.ransom 
  • W32/DelShad.AM!tr.ransom
  • W32/Trojan_Ransom.AB!tr
  • W32/PossibleThreat

BianLian

FortiGuard Labs detects known samples of BianLian ransomware with the following AV signature:

  • W32/Filecoder.BT!tr.ransom

Agenda

FortiGuard Labs detects known Agenda ransomware variants with the following AV signatures:

  • W32/Agent.AK!tr.ransom
  • W32/PossibleThreat

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.