Researchers have discovered the first professional ransomware strain that was coded in the Rust programming language and was deployed against companies in real-world attacks. The ransomware is named ALPHV (aka BlackCat). The ransomware is technically the third ransomware strain written in Rust after a PoC strain was released on GitHub late 2020.
ALPHV is the first one to be created and deployed in the wild by what looks to be a professional cybercrime cartel. The author was believed previously involved with the infamous REvil ransomware cartel in some sort of capacity.
Following REvil’s model, this individual also going by the name of ALPHV has been advertising a Ransomware-as-a-Service (RaaS) of the same name on two underground cybercrime forums (XSS and Exploit), inviting others to join and launch attacks against companies to extract ransom payments. Those who apply, known as “affiliates,” receive a version of the ALPHV ransomware they can use in attacks.
Among the features they advertise is the ability to encrypt data on Windows, Linux, and VMWare eSXI systems, and the ability for “affiliates” to earn between 80% and 90% of the final ransom, depending on the total sum they extract from victims.
The BlackCat gang’s preferred initial entry vector is currently unknown, but once they breach a network, they search and steal sensitive files and then encrypt local systems. The group engages in double extortion, where they use the stolen data to put pressure on victims to pay, threatening to leak the stolen data if they don’t.
At present, the group seems to be operating multiple leak sites, with each of these hosting the data of one or two victims, with ALPHV (BlackCat) creating a new one to use in new attacks. A theory is that these leak sites are currently being hosted by the ALPHV (BlackCat) affiliates themselves, which explains the different leak URLs.
While there have been some other tentative attempts at creating ransomware in Rust last year, BlackCat is the first one that is an actual threat and which companies need to be wary of. Researchers says this is more sophisticated than others
BlackCat is not the only professional malware operation to move to Rust, considered a much secure programming language compared to C and C++.Other cybercrime groups, such as the operators of BuerLoader and FickerStealer, have also made the first steps in 2021 towards deploying Rust versions of their tools.