RansomExx operators have reworked and created a newer version of the malware in the Rust programming language. As per reports, Rust, a relatively new language, is popular for being fast and memory efficient. The latest variant is called RansomExx2 and will benefit attackers in evading AV detection besides other benefits.
While the new variant was previously intended to be used on Linux however, there have been reports of a work-in-progress version for Windows as well. Ransomware gangs, including Blackcat, Hive, Luna, and Zeon have reportedly been using the Rust programming language. Hive turned to Rust for their encryptor, and Blackcat turned from Tor for their encryptor to Rust which, according to reports, has 0 detection rate.
RansomExx ransomware is operated by the DefrayX group that has employed the PyXie malware, vatet loaded, and defray ransomware in the past. Even though the RansomExx2 is completely rewritten with Rust, its working is very similar to that of C++. The ransomware group has updated its website page title as ransomexx2, as shown below:
(Source: Security Intelligence )
The older RansomExx
RansonExx was first reported in 2018 and it has been used to launch ransomware attacks on Brazil’s superior court of justice and Texas courts in 2020. Cyble intelligence report shows that this ransomware mainly targets manufacturing, healthcare, automotive, and government & LEA industries. Some source code path strings within the binaries observed by researchers pointed towards the observation that those used a variant of the older RansomExx likely called RansomExx2.
Ransomware developers turning to Rust
Rust offers complicated binaries making it time-consuming to reverse engineer, which would give the attacker more time and help protect their interests. Likecompanies worldwide, such as Firefox, DropBox, and Cloudflare, Rust has several benefits to cyber criminals in terms of performance, reliability, and results. Rust is fast, integrates with other languages, and offers thread safety and error messages with multi-editor support. It evades being detected in the antivirus scan compared to other languages, making it dangerous for this ransomware’s targets.
Rust programming language is designed for good performance and safety, researchers at Cyble told The Cyber Express team that. They further shared that the programming language is also versatile and supports cross-platform functionalities adding that the malware developers go for Rust code due to the complexity involved in reverse engineering the ransomware binary.
After execution, the ransomware passes through intended directories and, along the way, encrypts files with the AES-256 algorithm. AES, or Advanced encryption standard, also called Rijndael, is used for the encryption of data which converts system data to specific codes or ciphertext, making it difficult to access for the intended users or the victims of a ransomware attack. The ransomware attack concludes with a ransom note in every directory it exploits. It used RSA to protect the encryption keys.
A sample ransom note (Source: Security Intelligence)
Researchers predict that Rust is likely to be exploited by several other ransomware developers in the future for innovation and evading detection.