This week, security researchers discovered the first professional ransomware strain written in the Rust programming language and used against businesses in real-world attacks.
ALPHV ransomware was discovered by security researchers from Recorded Future and MalwareHunterTeam (or BlackCat).
The ransomware is technically the third ransomware strain written in Rust, following the release of a proof-of-concept strain on GitHub in 2020 and an experimental and now-defunct strain named BadBeeTeam later that year.
However, while they were not the first, ALPHV (BlackCat) is the first to be created and deployed in the wild by what appears to be a professional cybercrime cartel.
ALPHV (BlackCat) is advertised on underground message boards
In a threat actor profile posted today, Recorded Coming analysts stated that they believe the ALPHV author was previously involved in some capacity with the infamous REvil ransomware cartel.
Following REvil's lead, this individual, also known as ALPHV, has been advertising a Ransomware-as-a-Service (RaaS) of the same name on two underground cybercrime forums since early December, inviting others to enter and launch aggression against large corporations to extract ransom payments that can then be divided. Those who use, directed to as "affiliates," are given a version of the ALPHV ransomware to use in attacks.
They promote the capability to encrypt data on Windows, Linux, and VMWare eSXI systems, as well as the ability for "affiliates" to earn between 80% and 90% of the final ransom, depending on the total amount they extract from victims. At the time of writing, the ALPHV gang seems to be in its early stages of operation, with only a handful of victims recognized so far, according to MalwareHunterTeam.
The BlackCat gang's chosen initial entry vector is anonymous at this time, but once inside a network, they search for and steal exposed files before encrypting local systems.
In line with the tactics of most major ransomware operations today, the group also uses stolen data to put pressure on victims to pay, threatening to leak the stolen data if they don't.
At the moment, the group appears to be running multiple leak sites, each of which hosts the data of one or two victims, with ALPHV (BlackCat) creating a new one to use in new attacks. A theory is that these leak sites are instantly being hosted by the ALPHV affiliates themselves, which explains the different leak URLs.
The malware world is gradually shifting to Rust
While there were some other uncertain attempts to make ransomware in Rust last year, BlackCat is the rather one that is a real threat that businesses should be aware of.
Michael Gillespie, a malware analyst at Emsisoft and the author of dozens of ransomware decryption utilities, described BlackCat as "very sophisticated" in a tweet yesterday.
However, BlackCat is not the only experienced malware process that has changed to Rust, which is considered a more secure programming language than C and C++.
Other cybercrime organizations, such as the operators of BuerLoader and FickerStealer, took the first steps toward deploying Rust versions of their tools in 2021.
Airzero Sec's professional Cyber Security Consulting team has years of experience working on projects for some of the world's largest corporations. Use that experience whenever you need it, whether it's to help you arrive or when you're executing technical controls. If you have any questions about the topic. Please do not hesitate to contact us via the email address provided.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/