IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Why are ransomware gangs pivoting to Rust?

The developer-favourite language is fast becoming a delight for ransomware criminals

A relatively new programming language on the scene, Rust was launched in 2015 and has quickly become a favourite not only for the pleasant experience it offers developers but also for the benefits it affords malware miscreants.

In the most recent 2022 Stack Overflow Developer Survey, Rust was, by far and away, the ‘most loved’ programming language among surveyed developers – a crown it’s claimed for seven years running since it was first released. Perhaps it came as no surprise, then, that Rust was also the language the most number of developers wanted to add to their repertoire, narrowly edging out Python.

This week, Microsoft revealed that the Hive ransomware group’s namesake payload has been almost entirely rewritten in Rust, moving away from Go – another favourite among malware and ransomware authors

After BlackCat, Hive has become the second ransomware group this year to rewrite its programme using Rust. This raises the question of what makes the industry-favourite language so appealing to ransomware gangs, specifically?

Rust’s killer duo of features

Safety first

Like many of the more modern programming languages designed to replace older ones, Rust claims to be “blazingly fast and memory-efficient” – much more than the likes of C and C++.

Microsoft’s analysis agrees, stating Rust offers better memory, data type, and thread safety over other languages. Memory safety is hugely important when writing secure software as memory-unsafe programmes can lead to crashes. Ransomware strains also need to remain operational – to continue to lock users out of their systems – in order for the ransom demands to be valid. Memory-unsafe programs are also responsible for the majority of software vulnerabilities in non-malicious software, according to Okta.

Rust is an incredibly safe language thanks to its compiler that outright refuses to compile unsafe code by default, meaning developers who code ransomware using Rust won’t even be able to run it unless the programme is guaranteed to run in a stable way.

Evasive manoeuvres

Newer languages Like Rust and Go are thought to be better at disguising the ways in which they work from malware analysts. This, in turn, prevents them from being reverse engineered to release decryptors, which would kill its ability to generate business.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

Again, Rust’s compiler is to thank for this. Due to the comparatively complex way in which Rust code is compiled into machine-readable code, the language makes it difficult for analysts to view the inner workings of the programme. Proofpoint said in one analysis that it has observed previous malware strains being rewritten in Rust to avoid detections based on features of the programme written in C.

Rust is also a command line-driven language. The newer Rust version of Hive ransomware places different parameters in the command line which means things like the credentials required to access the ransom payment site cannot be accessed by analysts from the individual sample itself. The parameters in Hive are also being constantly updated, Microsoft said, and when coupled with string encryption, makes analysis increasingly difficult.

Examples of malicious Rust programmes

Examples of major malware programmes written in Rust date back to 2016, shortly after the language was released. Doctor Web researchers discovered a Linux backdoor trojan with functionality limited to just four commands sent over internet chat relay (IRC).

A year later, ESET published details of the TeleBots campaign that targeted Ukraine months before the NotPetya outbreak was observed. It used a pair of backdoors in order to compromise companies in the region, including one that was rewritten in Rust from Python.

As mentioned previously, Proofpoint also published its research into the r-writing of the Buer malware, the Rust iteration of which it named RustyBuer in 2021. The campaign saw the rewritten strain being distributed as part of phishing emails masquerading as shipping companies, and other associated campaigns purporting to be from the likes of logistics company DHL. The emails typically included links to download Microsoft Office documents that used macros to drop the RustyBuer malware - a technique that Microsoft continues to battle against today.

There are also the most recent examples from BlackCat and Hive, the first and second ransomware programmes to be re-written in Rust respectively. BlackCat is a prevalent strain of ransomware that prompted the FBI to issue a security advisory warning against it earlier this year. According to Varonis Threat Lab, the group behind BlackCat has actively recruited developers from the now-shuttered REvil, DarkSide, and BlackMatter ransomware organisations – all of which are believed to be Russia-affiliated.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022