Threat Research

RansomExx Upgrades to Rust

Securonix

IBM X-Force reports that RansomExx has been rewritten in Rust as RansomExx2, targeting Linux with a Windows variant likely in development. The rewrite highlights Rust’s cross-platform appeal and the ransomware’s continued use of AES-256 encryption with RSA-protected keys. #RansomExx2 #Rust #DefrayX #Hive0091 #PyXie #Vatet #RansomExx #XForce

Keypoints

  • RansomExx2 is a Rust-based rewrite of the RansomExx ransomware, designed to run on Linux with a Windows version likely in the works.
  • DefrayX threat actor group (Hive0091), known for PyXie, Vatet loader, and Defray ransomware, operates RansomExx2.
  • RansomExx2 encrypts files using AES-256 with RSA protecting the encryption keys; the RSA public key is embedded in the binary and the private key is held by the attacker.
  • The malware requires a list of target directories provided via the command line to encrypt, and will not encrypt anything if no arguments are supplied.
  • During encryption, files ≥40 bytes are processed, ransom notes are dropped in each directory, and a new file extension is assigned to encrypted files.
  • Elements such as RSA key, file extension, and ransom note name are themselves encrypted within the binary and decrypted by XOR, as an obfuscation/defense-evasion measure.
  • The article notes a rising trend of ransomware developers adopting Rust for cross‑platform support and lower AV detection, with X-Force predicting more Rust-based variants from major families.

MITRE Techniques

  • [T1059.003] Command-Line – The ransomware expects to receive a list of target directories to encrypt as input. Quote relevant content: ‘The ransomware expects to receive a list of directory paths to encrypt as input.’
  • [T1083] File and Directory Discovery – It enumerates and encrypts files in the specified directories. Quote relevant content: ‘enumerating and encrypting files.’
  • [T1486] Data Encrypted for Impact – It encrypts files using AES-256 and protects the keys with RSA. Quote relevant content: ‘Files are encrypted using AES-256 and a randomly generated key. The AES key is itself encrypted using RSA and a hardcoded public key, and appended to the end of the encrypted file.’
  • [T1577] Crypto: Public-Key Cryptography – RSA public key is used to protect the encryption keys; the attacker holds the private key. Quote relevant content: ‘The AES key is itself encrypted using RSA and a hardcoded public key, and appended to the end of the encrypted file.’
  • [T1027] Obfuscated/Compressed Files and Information – Elements such as RSA key, file extension, and ransom note name and contents are encrypted within the binary and decrypted by xoring the encrypted data with an equal-sized key. Quote relevant content: ‘Elements such as RSA key, file extension, and the ransomware note name and contents, are encrypted within the binary and decrypted by xoring the encrypted data with an equal-sized key.’

Indicators of Compromise

  • [IOC Type] None identified – No IPs, domains, or file hashes are disclosed in the article.

Read more: https://securityintelligence.com/posts/ransomexx-upgrades-rust/