RansomExx is a ransomware that emerged first in 2018 under the name Defray. Since then, the malware has undergone multiple changes, with the latest updates being added in Rust language. This makes RansomExx the latest ransomware to join the growing list of ransomware switching to other languages.
Previously, Hive and BlackCat among other prominent ransomware had been rewritten in Rust to expand their attack scope.
The purpose behind switching to Rust
Ransomware written in Rust language have low detection rates and this is one of the primary reasons for ransomware developers to opt for this language. Besides, switching to this language offers a variety of other advantages:
Memory, data type, and thread safety
Several mechanisms for concurrency and parallelism, thus, enabling fast and safe file encryption
Good cryptographic libraries
Difficult to reverse engineer
RansomExx2 is a new variant of RansomExx, which is also written in Rust. It includes functionality similar to its C++ predecessors.
The variant uses AES-256 with RSA algorithms to encrypt specific files on victims’ computers. Each encrypted file is given a new file extension with random characters.
The operators have also updated the website with the page title now listed as ransomexx2.
The bottom line
Researchers assess these latest changes by RansomExx may not be a significant upgrade in functionality and that the group will continue to make developments to improve the evasion techniques. Therefore, organizations are recommended to include the IOCs to investigate the existence of such threats in their environments and evaluate for potential intrusion.