Why are ransomware gangs pivoting to Rust?

A relatively new programming language on the scene, Rust was launched in 2015 and has quickly become a favourite not only for the pleasant experience it offers developers but also for the benefits it affords malware miscreants.

In the most recent 2022 Stack Overflow Developer Survey, Rust was, by far and away, the ‘most loved’ programming language among surveyed developers – a crown it’s claimed for seven years running since it was first released. Perhaps it came as no surprise, then, that Rust was also the language the most number of developers wanted to add to their repertoire, narrowly edging out Python.

This week, Microsoft revealed that the Hive ransomware group’s namesake payload has been almost entirely rewritten in Rust, moving away from Go – another favourite among malware and ransomware authors.

After BlackCat, Hive has become the second ransomware group this year to rewrite its program using Rust. This raises the question of what makes the industry-favourite language so appealing to ransomware gangs, specifically?

Rust’s killer duo of features

Safety first

Like many of the more modern programming languages designed to replace older ones, Rust claims to be “blazingly fast and memory-efficient” – much more than the likes of C and C++.

Microsoft’s analysis agrees, stating Rust offers better memory, data type, and thread safety over other languages. Memory safety is hugely important when writing secure software as memory-unsafe programs can lead to crashes. Ransomware strains also need to remain operational – to continue to lock users out of their systems – in order for the ransom demands to be valid. Memory-unsafe programs are also responsible for the majority of software vulnerabilities in non-malicious software, according to Okta.

Rust is an incredibly safe language thanks to its compiler that outright refuses to compile unsafe code by default, meaning developers who code ransomware using Rust won’t even be able to run it unless the program is guaranteed to run in a stable way.

Evasive manoeuvres

Newer languages Like Rust and Go are thought to be better at disguising the ways in which they work from malware analysts. This, in turn, prevents them from being reverse engineered to release decryptors, which would kill its ability to generate business.

Again, Rust’s compiler is to thank for this. Due to the comparatively complex way in which Rust code is compiled into machine-readable code, the language makes it difficult for analysts to view the inner workings of the program. Proofpoint said in one analysis that it has observed previous malware strains being rewritten in Rust to avoid detections based on features of the program written in C.

Rust is also a command line-driven language. The newer Rust version of Hive ransomware places different parameters in the command line which means things like the credentials required to access the ransom payment site cannot be accessed by analysts from the individual sample itself. The parameters in Hive are also being constantly updated, Microsoft said, and when coupled with string encryption, makes analysis increasingly difficult.

Examples of malicious Rust programs

Examples of major malware programs written in Rust date back to 2016, shortly after the language was released. Doctor Web researchers discovered a Linux backdoor trojan with functionality limited to just four commands sent over internet chat relay (IRC).

A year later, ESET published details of the TeleBots campaign that targeted Ukraine months before the NotPetya outbreak was observed. It used a pair of backdoors in order to compromise companies in the region, including one that was rewritten in Rust from Python.

As mentioned previously, Proofpoint also published its research into the re-writing of the Buer malware, the Rust iteration of which it named RustyBuer in 2021. The campaign saw the rewritten strain being distributed as part of phishing emails masquerading as shipping companies, and other associated campaigns purporting to be from the likes of logistics company DHL. The emails typically included links to download Microsoft Office documents that used macros to drop the RustyBuer malware - a technique that Microsoft continues to battle against today.

There are also the most recent examples from BlackCat and Hive, the first and second ransomware programs to be re-written in Rust respectively. BlackCat is a prevalent strain of ransomware that prompted the FBI to issue a security advisory warning against it earlier this year. According to Varonis Threat Lab, the group behind BlackCat has actively recruited developers from the now-shuttered REvil, DarkSide, and BlackMatter ransomware organisations – all of which are believed to be Russia-affiliated.