
They appeared as the second strain that transitioned to Rust and announced nearly 200 victims on their leak sites in 2022. Hive Ransomware works as RaaS and has been active since 2021. For a detailed analysis of the group and its TTP, IoCs, see this article. BlackCat is working with the RaaS model, but they have differentiated their business models like their variants by giving payouts up to 90% to be competitive in this cybercriminal space. BlackCatĪlso known as ALPHV, which had over 200 victim announcements recorded by SOCRadar since its emergence, it is the first ransomware written in Rust and has the most attack count. As reported in a report by the FBI on BlackCat, the group’s high success rate was their use of a Ransomware strain written in Rust. Ransomware written in Rust, which we encountered with the BlackCat group that emerged at the end of 2021, continued to appear throughout 2022. Which Ransomware Groups/Strains are Using Rust? However, the situation started to get serious when ransomware groups started using Rust in late 2021. Security researchers observed that the TeleBots group wrote one of the backdoors they used during the infiltration process with Rust.Ī ransom demand of KillDisk (Source: ESET)Īfter this point, Rust-written versions of various malware have been encountered to this day, especially to evade signature-based detection. However, the amount of ransom demanded showed that the group was not interested in money but only for harmful purposes. The group, which did not demand any ransom initially, later started to demand very high sums. In 2017 a group named TeleBots was making disruptive attacks on Ukrainian companies with KillDisk malware in 2016. On the system, it infected this backdoor trojan was listening to the specified channel via IRC and waiting for orders from its C2. A backdoor executed the commands it received over the IRC (Internet Relay Chat) protocol. One of the first malware detected in the wild was a Linux-running trojan detected by Doctor Web researchers in 2016. The inability to examine the attacker’s tools makes it too hard to take the necessary measures. Decryptor generation becomes much more complex when reverse engineering becomes difficult, and the victim’s only option may be to pay the ransom. Rust compiler is relatively more complex and turns into machine-readable code, creating a more challenging task for many malware analysts. Hard to Reverse Engineer: Rust stands out in ransomware because the reverse engineering required to extract the decryptor is more complicated.SOCRadar platform provides a proactive understanding of security and can assist with behavioral analysis rather than static security measures. Rust’s speed in this regard increases ransomware’s chance to move into the exploitation stage without being detected by many systems and security staff. After the malware is delivered, it uses evasive movements not to be detected by the security systems. These situations can enable it to evade signature-based structures at the delivery stage and facilitate such maneuvers again within the system. Many security products have been designed for years based on the signatures of well-known and widely used languages, so signatures of a different language can make static analysis much more difficult. Evasion: New languages, such as Rust, are relatively fast and can evade the static analysis of many malware detection systems.

It also has other prominent advantages when used in malware development. Especially in ransomware, where memory management is critical, it is necessary to remain functional and not experience a crash to receive the ransom payment. But these beneficial aspects are also of interest to threat actors, as malware tries to stay operational and efficient. Rust claims to be faster and more efficient than C and C++, and this seems to be accepted by many developers today. Memory Management: Rust is trying to provide better memory management via its unique storage in memory and compile time.In this regard, they have some advantages:

#Rust programming language popularity software#
Software languages such as Rust, which can be considered relatively newer, are designed to replace old ones. BlackCat’s ThreatActor Page on the SOCRadar platform Why is Rust Preferred?
