Saturday, December 21, 2024
HomeRansomwareHackers Rewritten The RansomExx Ransomware in Rust Language To Evade Detection

Hackers Rewritten The RansomExx Ransomware in Rust Language To Evade Detection

Published on

SIEM as a Service

There has recently been a discovery made by IBM Security X-Force Threat Researchers regarding a new variant of ransomware known as RansomExx that is dubbed RansomExx2 which was written in Rust language.

While threat actor behind this malware is known as Hive0091 (aka DefrayX). Apart from this, the RansomExx is also known by following these names:- 

  • Defray777
  • Ransom X

With the release of this new variant, a growing trend has been noticed in which ransomware developers are switching to the Rust programming language, which has become a common programming language for threat actors.

- Advertisement - SIEM as a Service

“If the Rust language continues to be adopted by malware developers, then this will eventually change as AV vendors will start increasing their abilities to detect it, so its advantages compared to other languages will lessen. At that point, we may see malware developers shift and experiment with different languages instead,”. IBM researchers said.

Technical Analysis

The primary reason for using Rust may have been its ability to offer lower detection rates for anti-virus programs. As a result of this growing trend, it is following the same patterns as strains such as:-

  • BlackCat
  • Hive
  • Luna

DefrayX (aka Hive0091) threat actor group is also known for the following strains:-

  • PyXie malware
  • Vatet loader
  • Defray ransomware

A wide variety of ransomware has previously been released by this group, including versions for Linux and Windows. That’s why there is a good possibility that the Windows version of the ransomware will also be released soon.

Though the new variant RansomExx2 has been molded in the Rust programming language, but it still maintains much of its functionality as its predecessor.

Several parameters will need to be passed to RansomExx2 as part of its command line arguments to encrypt the target directories. Following that, files are encrypted with AES-256, while the encryption keys are protected with RSA cryptography.

There has also been an update to the ransomware group’s website, where now the page title has been changed to:-

  • ransomexx2

When executed, ransomware enumerates and encrypts files in the directories specified by the user. With the exception of ransom notes and previously encrypted files, all files with a size of more than 40 bytes are encrypted.

A new file extension is given to every encrypted file so that it can be recognized easily. In every directory where the encrypted files are located, a ransom note will be dropped.

The ransom note is titled as “!_WHY_FILES_ARE_ENCRYPTED_!.txt” and this note contains the following information:-

There have been a number of victims of RansomExx’s operations since the operation was launched in 2018, including the following:

  • Government agencies
  • GIGABYTE
  • Zegna

There is a high probability that there will be more threats trying out Rust in the future, as determined by X-Force. Among the newest ransomware families to shift to Rust in 2022 is RansomExx.

“Like the Go programming language, which has experienced a similar surge in usage by threat actors over the past few years, Rust’s compilation process also results in more complex binaries that can be more time-consuming to analyze for reverse engineers.”

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

NotLockBit – Previously Unknown Ransomware Attack Windows & macOS

A new and advanced ransomware family, dubbed NotLockBit, has emerged as a significant threat...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

Mauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners

The Apache ActiveMQ server is vulnerable to remote code execution (CVE-2023-46604), where attackers can...