RansomExx joins the ranks of ransomware gangs switching to Rust


While switching a programming language might sound trivial, the change indicates cybercriminals are carefully weighing the benefits of the swap.

The RansomExx ransomware group is the latest gang to join the growing ranks of malware developers favoring Rust programming language. According to IBM Security X-Force Threat researchers, a novel variant of RansomExx malware written in Rust has already been circulating in the wild.

Rust programming language was created by Graydon Hoare and launched by Mozilla in 2010.

Other ransomware gangs such as BlackCat, Hive, Luna, and others have already made the switch earlier this year. Even though switching a programming language might sound mundane, it’s far from it.

Groups making the switch have completely rewritten malware used in attacks, the primary product ransomware cartels sell to affiliates via the ransomware-as-a-service (RaaS) model. Spending time and treasure on a complicated task signals that the benefits of switching outweigh the troubles.

IBM researchers believe that malware written in Rust has a lower chance of being detected by antivirus programs, making it easier for ransomware gangs to infiltrate targeted IT systems. For example, for two weeks, the most recent sample managed to avoid detection in the VirusTotal platform, a global antivirus aggregator.

“As of the time of writing, the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform,” researchers noted in a blog post.

According to Microsoft, besides security evasion, Rust offers other benefits to malware developers. For example, it has deep control over low-level resources, offers a user-friendly syntax, offers a wide variety of cryptographic libraries, and is more difficult to reverse-engineer than more commonly used programming languages.

RansomExx malware was first observed to target organizations in mid-2020. Close to 50 organizations have been hit using the gang’s malware. The gang recently posted internal documents taken from the Italian luxury car maker Ferrari.

Other victims include Japanese tech company Konica Minolta, Taiwanese computer hardware manufacturer GIGABYTE, US software provider Tyler Technologies, and others.