The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat, Hive, and Luna.
The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it’s expected that a Windows version will be released in the future.
RansomExx, also known as Defray777 and Ransom X, is a ransomware family that’s known to be active since 2018. It has since been linked to a number of attacks on government agencies, manufacturers, and other high-profile entities like Embraer and GIGABYTE.
“Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language,” IBM Security X-Force researcher Charlotte Hammond said in a report published this week.
RansomExx2 is functionally similar to its C++ predecessor and it takes a list of target directories to encrypt as command line inputs.
Once executed, the ransomware recursively goes through each of the specified directories, followed by enumerating and encrypting the files using the AES-256 algorithm.
A ransom note containing the demand is ultimately dropped in each of the encrypted directories upon completion of the step.
The development illustrates a new trend where a growing number of malicious actors are building malware and ransomware with lesser-known programming languages like Rust and Go, which not only offer increased cross-platform flexibility but can also evade detection.
“RansomExx is yet another major ransomware family to switch to Rust in 2022,” Hammond explained.
“While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group, and continued attempts to evade detection.”