IBM: RansomExx becomes latest ransomware group to create Rust variant

The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers.

Charlotte Hammond, a malware reverse engineer for IBM Security X-Force, told The Record the development was important because antivirus detection rates tend to be lower for Rust compiled malware, making it easier to slip past defenses. 

“While switching languages may sound like a minor thing, it’s not a trivial exercise. They’re not just making an update to their existing code base; they’re recreating it from scratch in a completely new language with a completely different syntax and set of libraries. It’s likely to be a language that their developers are less familiar with too, which will also add to the time and effort required,” she said.

“In cases like this one, the group already have an existing and well-established piece of ransomware, yet they have decided that the benefits of the switch are worth the effort.”

As an example, IBM researchers noted that the sample used for their report was not detected as malicious in the VirusTotal platform for at least two weeks after its initial submission.

The new sample is still only detected by 14 out of the 60+ AV providers represented in the platform, the researchers found.

The developers behind RansomExx also created the PyXie malware, Vatet loader, and Defray ransomware strains, IBM explained.

The group has been implicated in attacks on Brazil’s largest clothing department store chain, a Scottish mental health charity, the government of Lazio, Italy’s portal for COVID-19 vaccinations and Taiwanese computer hardware vendor GIGABYTE.

The new variant, named RansomExx2, is built to run on the Linux operating system but IBM noted that the group typically creates versions for Windows as well. 

Emsisoft ransomware expert Brett Callow said many other ransomware groups are using Rust, and IBM added that many other ransomware groups have created their own Rust variants, including high profile gangs like BlackCat, Hive, and Zeon.

“The Rust programming language has been steadily increasing in popularity among malware developers over the course of the past year, thanks to its cross-platform support and low AV detection rates,” the researchers said.

“Like the Go programming language, which has experienced a similar surge in usage by threat actors over the past few years, Rust’s compilation process also results in more complex binaries that can be more time-consuming to analyze for reverse engineers.”

Hammond added that the lower antivirus detection rates are the main reason most groups turn to languages like Rust, explaining that every additional target that they can successfully execute the ransomware on, without it being detected and quarantined by AV, represents another possible source of income.

The lower AV detection rates for Rust binaries can likely be explained by the language being much less commonly used, so AV vendors will have fewer signatures for it, and less available samples to train their detection applications with, Hammond explained

“If the Rust language continues to be adopted by malware developers, then this will eventually change as AV vendors will start increasing their abilities to detect it, and so its advantages compared to other languages will lessen. At that point we may see malware developers shift and start to experiment with different languages instead,” she said.

“It’s for this reason as well that it’s important to highlight these language changes when they arise. Raising awareness of the fact that more groups are adopting a new language will hopefully encourage security teams to research the matter and ensure they have the capabilities to detect and defend against it.”

Recorded Future ransomware expert Allan Liska said two years ago, there were a lot of stories about ransomware groups switching to Golang, or new ransomware being developed in that language. 

Liska said that trend did not last for unknown reason but noted that many have switched to Rust as the programming language of choice for ransomware groups.

“Ransomware is software and like any software it has to be updated regularly. Ransomware groups switch to whatever platforms are going to help them be successful and one advantage of Rust is that it makes the ransomware harder to detect (by AV products), for now,” he said. 

“The security industry will catch up shortly and it becomes a cat and mouse game where the ransomware groups develop new methods to evade detection and AV and EDR vendors develop new and better detections.”