What is the Agenda ransomware and how does it operate?

The Agenda ransomware is a 64-bit Windows PE file written in Go (Golang). It is cross-platform and standalone, meaning it can execute without a Go interpreter. Agenda customizes its attack using command-line arguments to define its behavior, including encryption routines, process termination, and ransom note configuration. It can terminate antivirus-related processes, remove shadow volume copies, and reboot machines in safe mode to evade detection and maximize impact.

How does Agenda ransomware evade detection?

Agenda uses several evasion techniques, such as checking if the system is running in safe mode and terminating if so, removing shadow volume copies, terminating specific processes (including antivirus), and changing the default user's password to enable automatic login. It can reboot the system in safe mode and proceed with encryption, similar to the REvil ransomware.

What systems and files does Agenda ransomware target?

Agenda targets Windows systems and is capable of compromising entire networks, not just individual workstations. It can list and encrypt files on network drives by modifying registry settings and restarting the LanmanWorkstation service, allowing access to mapped drives in elevated programs.

How does Agenda ransomware persist on infected systems?

Agenda creates a RunOnce autostart registry entry pointing to a dropped copy of itself (enc.exe) in the Public folder, ensuring it runs after a reboot. It also changes user credentials and enables automatic login to facilitate its encryption routine.

What programming language is Agenda ransomware written in and why is this significant?

Agenda is written in Go (Golang), which allows it to be cross-platform and standalone. Go programs are statically compiled, so they do not require an interpreter on the target system, increasing their portability and making detection more challenging.

How does Agenda ransomware interact with network drives?

Agenda modifies registry keys to enable mapped drives for elevated programs and restarts the LanmanWorkstation service. This allows it to list and encrypt files on network drives, increasing its impact across an organization's infrastructure.

What command-line arguments does Agenda ransomware use?

Agenda accepts various command-line arguments to customize its behavior, such as defining the public RSA key, encryption conditions, processes and services to terminate, and enabling features like safe mode encryption with the -safe argument.

How does Agenda ransomware handle system reboots?

Agenda can reboot the victim's machine in safe mode and proceed with encryption upon reboot. This technique helps it evade certain security controls and ensures successful encryption of files.

What detection evasion techniques does Agenda ransomware use?

Agenda employs several evasion techniques, including terminating antivirus processes, removing shadow volume copies, changing user credentials, enabling automatic login, and rebooting in safe mode to bypass security controls.

How does Agenda ransomware affect organizational networks?

Agenda is capable of compromising entire networks by encrypting files on network drives and shared folders, not just individual workstations. This increases the potential damage and operational disruption for affected organizations.

What features does Cymulate offer for ransomware and threat validation?

Cymulate provides continuous threat validation, simulating real-world ransomware and other cyberattacks to test and validate security defenses. The platform covers the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, with daily updated threat templates and AI-generated attack plans. Learn more .

How does Cymulate validate endpoint security against ransomware?

Cymulate simulates a variety of endpoint threats, including known malicious file samples, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection. This helps organizations assess and strengthen their endpoint defenses. Read more .

What is Cymulate's Immediate Threats Module and how does it help?

Cymulate's Immediate Threats Module is rapidly updated to reflect new attacks, allowing organizations to quickly assess their IT estate for exposure to emerging threats and implement remedial actions. Customers praise its speed and relevance for proactive defense. Learn more .

How does Cymulate address immediate and emerging threats?

Cymulate's Immediate Threats Module is updated quickly to assess new attacks, enabling organizations to evaluate risk exposure and implement remedial actions promptly. This ensures simulation of the latest threats, including ransomware and other current attack vectors. Source .

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Learn more .

How does Cymulate help organizations become ransomware resilient?

Cymulate provides practical steps and continuous validation to reduce ransomware risk. Organizations can read more in the blog post 7 Essential Steps to Becoming Ransomware Resilient .

What resources does Cymulate offer for healthcare organizations facing ransomware?

Cymulate provides a blog post explaining why proactive cybersecurity strategies are essential for healthcare organizations to protect against ransomware. Read more in our blog post on staying protected from ransomware .

What are malware-based network attacks and how can they be prevented?

Malware-based attacks, such as worms, trojans, and ransomware, disrupt or damage networks. Prevention strategies include deploying advanced endpoint detection and response (EDR), regular patching, monitoring for anomalous activity, and validating lateral movement controls. Learn more .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, Security Operations (SecOps) teams, Vulnerability Management teams, Red Teams, and Detection Engineers in organizations across industries such as finance, healthcare, and technology. It is ideal for organizations seeking to validate and optimize their security posture against advanced threats like ransomware. Learn more .

What business impact can customers expect from using Cymulate?

Customers typically achieve a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. See more metrics .

What problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. It provides continuous threat validation, actionable insights, and unified exposure management. See case studies .

How does Cymulate help with ransomware threats in the financial sector?

The financial services sector faces sophisticated threats like ransomware, phishing, and APTs. Cymulate helps by validating security controls and simulating advanced attacks to ensure robust protection for both internal systems and customer-facing applications. Learn more .

How does Cymulate address insider threats?

An insider threat is a security risk from within an organization, including malicious, negligent, or compromised insiders. Cymulate helps organizations validate defenses against such threats by simulating relevant attack techniques and providing actionable insights. Read more .

What integrations does Cymulate support?

Cymulate integrates with leading security tools, including EDR/anti-malware (CrowdStrike Falcon, SentinelOne, Carbon Black EDR), cloud security (AWS GuardDuty, Wiz), SIEM (Splunk), vulnerability management (Rapid7 InsightVM), and more. See full list .

Where can I find technical documentation for Cymulate?

Technical resources include the Exposure Management Platform (CTEM) Whitepaper, Data Sheets, Custom Attacks Data Sheet, Technology Integrations Data Sheet, and information on MITRE ATT&CK alignment. Browse resources .

What security and compliance certifications does Cymulate have?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1, demonstrating adherence to industry-leading security and privacy standards. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate's services are hosted in secure AWS data centers with ISO 27001, PCI DSS, and SOC 2/3 compliance. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). The company follows a strict Secure Development Lifecycle (SDLC) and provides compliance evidence report templates. Details here .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model, customized based on the chosen package, number of assets, and scenarios required. For a tailored quote, schedule a demo .

How does Cymulate compare to AttackIQ?

Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows and accelerated security posture. AttackIQ does not match Cymulate's innovation, threat coverage, or ease of use. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant's platform has seen minimal innovation in recent years, while Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth in fully assessing and strengthening defenses. Cymulate optimizes defense, scales offensive testing, and increases exposure awareness. Read more .

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks Cymulate's comprehensive exposure validation platform, which covers the full kill chain and includes cloud control validation. Read more .

How long does it take to implement Cymulate?

Cymulate is known for its quick deployment. Customers can start running simulations almost immediately after deployment, with many reporting ease of implementation and use. See testimonials .

How easy is Cymulate to use?

Customers consistently praise Cymulate for its intuitive and user-friendly design. The platform is easy to implement, navigate, and configure, making it accessible for both technical and non-technical users. Read testimonials .

What support resources does Cymulate provide?

Cymulate offers email support, real-time chat support, webinars, e-books, and a knowledge base to help customers optimize platform usage. Contact support .

What is Cymulate's vision and mission?

Cymulate's vision is to lead the way in how companies implement cybersecurity strategies, making the world a safer place. Its mission is to empower organizations worldwide against threats and make advanced cybersecurity as simple as sending an email. Learn more .

How many customers and what global reach does Cymulate have?

Cymulate serves over 1,000 customers in 50 countries, with offices in eight locations worldwide. See company info .

Where can I watch the Threat Exposure Validation Summer Series video?

You can watch the video Threat Exposure Validation Summer Series: Threat Exposure Validation is a must have in 2025 for more insights on exposure validation trends.

Where can I watch the video on npm supply chain attacks?

Watch npm Under Siege: Worms, Toolchains and the Next Evolution of Supply Chain Attacks for an in-depth look at supply chain threats.

New Golang Ransomware Agenda Customizes Attacks

August 31, 2022

The Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and completely standalone, meaning they will execute properly even without a Go interpreter installed on a system. This is possible since Go statically compiles necessary libraries (packages). Upon execution, this ransomware accepts various command-line arguments that define the malware flow and functionality. Agenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions, list of processes and services to terminate, encryption extension, login credentials, and ransom note. As part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string safeboot in the data of this registry value: HKEY_LOCAL_MACHINESystemCurrentControlSetControl SystemStartOptions If it detects that the machine is running in safe mode, it terminates execution. The ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as well as terminating specific processes and services indicated in its runtime configuration, some of which are antivirus-related processes and services. After its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is a dropped copy of itself under the Public folder: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*aster = %Public%enc.exe Agenda also deploys a detection evasion technique during encryption: It changes the default user’s password and enables automatic login with the new login credentials. This feature can be enabled using the -safe command-line argument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the encryption routine upon reboot. Agenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the encryption of data on one workstation. The ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it uses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the LanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.

Featured Resources

View More Resources

Demo

CTEM Demo

Take an interactive tour of Cymulate CTEM and see how to continuously reduce cyber risk across your attack surface.

Learn More

blog

How to Prioritize Vulnerabilities in 2026: From CVSS to Real Risk

Security teams have more vulnerability data than ever. Scanners find exposures across endpoints, cloud assets, applications, identities and third-party tools. The problem is no

CUSTOMERS

Financial Regulatory Authority Strengthens Security and Gains Continuous Visibility with Cymulate

Limited Visibility and Reliance on Point-in-Time Testing With a lean team of five responsible for securing a complex internal environment,

Read Case Study

Frequently Asked Questions

Agenda Ransomware & Technical Threat Details