Ransomware and Rust
Ransomware and Rust
Well, it had to happen. The BlackCat (aka ALPHV) ransomware gang have implemented ransomware using Rust. And, so, while Rust has been previously used for malware, it is the first time it has been used for ransomware. The major advantage of using Rust for this is that it is likely to be scalable for its deployment on a range of systems, along with it being easy to customize for target systems (as it avoids running within a framework and will run natively on systems).
The customization options provided by Rust supports a range of command-line options and that are integrated into the executable code. This code can run on Windows and Linux systems, and where the code can be run with a range of options:
To run the code, an access token is required (- -access-token), and which can make it difficult to analyse the operation of the executable. Overall this program tries to disable: AV detectors (such as avagent and avscc)’ programs which may lock files (such as Outlook and PowerPoint); and backup services. The files avoided include EXE, MSI, BAT and DLL, as the ransomware does not want to shut down the system.
The FBI now report that it has already hit over 60 organisations, and which is delivered as RaaS (Ransomware as a Service). Overall, BlackCat uses an affiliate network, and where affiliates are interviewed and vetted before being accepted. Once accepted they retain between 80 and 90% of the ransom payment, and have a Tor-based control panel to report infections.
The spread of this ransomware often starts with compromised user credentials and then onto a compromise of the Active Directory infrastructure. From there the ransomware is deployed through the Windows Task Scheduler. The FBI has thus asked organisations to check commands with the Task Scheduler.
Rust is a powerful language, and mostly does good things. If you want to learn Rust, try here: