Slippery RansomExx Malware Moves to Rust, Evading VirusTotal

A new, harder-to-peg version of the ransomware has been rewritten in the Rust programming language.

Dark Reading Staff, Dark Reading

November 25, 2022

1 Min Read
closeup of rust on a boxcar
Source: John Cameron via Alamy Stock Photo

The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language -- possibly to avoid detection by antivirus software.

According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed "was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission" and that "the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform."

Besides being harder to detect and reverse-engineer, Rust has the advantage of being platform-agnostic. Thus, while the new version of RansomExx runs on Linux, IBM predicts a Windows version will be on its way soon, if it's not already loose and undetected.

RansomExx is far from the only malware package written in Rust. BlackCat, Hive, and, before that, Buer are prominent examples of malware that was rewritten to avoid detection based on the C/C++ versions.

DefrayX is known for its attacks targeting cloud workloads and specific verticals, including healthcare and manufacturing.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights