January 5, 2023 HAWKEYE

Why Threat Actors are Now using Rust to Develop New Ransomware?

Rust, a relatively new programming language, was introduced in 2015 and has since gained popularity for its pleasant developer experience and the advantages it provides to malware authors.


Rust, a relatively new programming language, was introduced in 2015 and has since gained popularity for its pleasant developer experience and the advantages it provides to malware authors. Rust has held the title of “most loved” programming language among surveyed developers for seven years, from its initial release, according to the most current 2022 Stack Overflow Developer Survey. The fact that Rust was the language developers wanted to learn the most, narrowly beating out Python, may not have come as a surprise.

The Hive ransomware, which has been around for a year and was originally written in Go but has since been converted to Rust, has been found to have new versions, according to Microsoft security researchers. Hive has been converting to Rust since a few months ago after learning from the BlackCat ransomware, which is also written in Rust. This begs the question of why, exactly, ransomware groups find the language used by the industry so enticing.

Features of Rust programming language:

  • Efficiency:
    Rust claims to be “blazingly fast and memory-efficient,” substantially faster than programming languages like C and C++. This is true of many other contemporary languages intended to replace more traditional ones. Rust has superior memory, data type, and thread safety compared to other languages, according to Microsoft’s investigation. When developing secure software, memory safety is crucial since memory-unsafe programs can cause crashes. For ransom demands to be legitimate, ransomware strains must continue to function and lock victims out of their systems. The bulk of software flaws in non-malicious software is likewise caused by memory-unsafe applications.
  • Evasive Actions:
    It is believed that newer languages like Rust and Go are better at hiding their internal workings from malware analysts. As a result, they can’t be reverse-engineered to produce decryptors, which would destroy their ability to make money. Additionally, the language Rust is command-line-driven. Hive ransomware’s more recent Rust iteration uses various command-line options, making it impossible for analysts to get information like the login credentials needed to access the site where ransom payments are made directly from a sample itself. Microsoft claimed that the parameters in Hive are also continually changing, which makes analysis more challenging when combined with string encryption.

Benefits of using Rust in Ransomware:

The benefits ransomware of moving to Rust are:

  • It offers memory, data type, and thread safety
  • It has deep control over low-level resources
  • It has a user-friendly syntax
  • Interception of encrypted traffic:
  • It has a good variety of cryptographic libraries
  • It’s relatively more difficult to reverse-engineer

Examples of Ransomware developed/moved to Rust recently:

In July 2022, Kaspersky discovered Luna Ransomware developed in Rust. Due to Rust’s cross-platform capabilities, Luna’s malware can simultaneously target Windows, Linux, and ESXi computers.

Following other strains like BlackCat, Hive, and Luna, the developers of the RansomExx ransomware are the most recent to create a new variety completely rewritten in the Rust programming language. The most recent version, codenamed RansomExx2, was created by the threat actor known as Hive0091 (also known as DefrayX). It is primarily intended to run on Linux, while a Windows version is anticipated in the future.

TrendMicro in December 2022 Discovered Agenda (also known as Qilin), another ransomware group that has started using Rust language. The Rust variant has also been observed employing intermittent encryption, which is a new strategy used by threat actors to evade detection and accelerate encryption.

, , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.