IBM Security X-Force Threat Researchers recently discovered RansomExx2, a variant of ransomware that was originally written in Rust.
Hive0091, also known as DefrayX, is the threat actor responsible for this malware. The RansomExx can also be identified by these other names:
- Ransom X
This new version has triggered a shift in ransomware creators to Rust, which is now a popular programming language used by threat actors.
If the Rust language is still being used by malware developers, this may change. AV vendors will increase their detection capabilities and its benefits will diminish. We may then see malware developers experiment with other languages.” IBM researchers said.
Rust’s ability to detect viruses at lower rates may be the main reason why Rust was chosen. It is now following the same trends as other strains like:
DefrayX, also called Hive0091 threat actor group, is also well-known for these strains:
- PyXie malware
- Vatet loader
- Defray ransomware
This group has released a variety of ransomware, including Windows and Linux versions. There is good chance that ransomware for Windows will soon be available.
Although the RansomExx2 variant has been created in Rust, it retains many of the same functionality as the predecessor.
RansomExx2 will require several parameters to decrypt target directories. After that files will be encrypted using AES256 and the encryption keys protected by RSA cryptography.
The ransomware group website has undergone an update. Now the page title is:
Ransomware executes and encrypts the files specified by the user. All files larger than 40 bytes, except ransom notes or previously encrypted files are protected.
Every encrypted file is assigned a new extension so it can easily be recognised. A ransom note is dropped in every location where encrypted files are found.
The ransom note is titled as “!_WHY_FILES_ARE_ENCRYPTED_!.txt” and this note contains the following information:-
RansomExx has had many victims since its inception, which was back in 2018.
- Government agencies
X-Force has determined that Rust will likely be targeted by more people in the near future. RansomExx is one of the most recent ransomware families that will shift to Rust by 2022.
Rust’s compiler process results in complex binaries, much like the Go programming language which saw a similar rise in threat actors using it over the last few years. This can make reverse engineering more difficult.
DDoS Protection For Applications –