Application Security , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Why Ransomware Groups Such as BlackCat Are Turning to Rust
Experts Say Future Ransomware Will Be Coded in Rust Programming LanguageThe BlackCat ransomware group, also known as Alphv, has garnered attention from security researchers the world over following a chain of successful exploits in the U.S., France, Spain and the Philippines over a two-month timespan. Its most recent victims were oil terminals in Belgium, Germany and the Netherlands.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
There are indicators to show that BlackCat is a successor to the BlackMatter and DarkSide ransomware groups. Reports show that BlackCat operators previously worked for the BlackMatter and DarkSide ransomware families (see: Ransomware: Alphv/BlackCat Is DarkSide/BlackMatter Reboot).
Unit 42's analysis and researchers from cybersecurity firms Attivo Networks and CloudSEK tell Information Security Media Group that a key factor in BlackCat's recent success is new ransomware code written in Rust that adds detection evasion capabilities, better security and versatility, which allow threat actors to attack both Linux and Windows systems.
The trend of ransomware groups switching to malware written in newer, unconventional languages has been observed as far back as 2014, when VirusBulletin reported how Visual Basic 6 was considered to be one of the "most hated binaries" owing to the complexity of reverse-engineering the code to analyze malware.
Ransomware developers aren’t the only ones to seek new approaches. Last July, the Blackberry Threat Intelligence Team released a report detailing how developers behind the Adwind Remote Access Trojan turned to the platform-agnostic Java language to target various operating systems. A similar tactic was involved in ransomware attacks attributed to APT29, aka Cozy Bear.
Rust Helps Evade Static Analysis
Rust has been around for over a decade. Designed by Graydon Hoare during his stint at Mozilla Research, Rust was developed in 2010 to enhance the performance of Mozilla Firefox. The Rust website describes the programming language as being "blazingly fast and memory-efficient."
BlackCat's migration to Rust, which can run on embedded devices and integrate with other languages, comes as no surprise to Carolyn Crandall, chief security advocate at network security specialist Attivo Networks. She tells ISMG that attackers are always going to innovate with new code that is designed to circumvent endpoint defense systems.
Crandall says BlackCat ransomware is "extremely sophisticated" because it is human-operated and command line-driven.
A blog post by Iron.io says that in addition to being fast and efficient, a command line interface is better at handling repetitive tasks, needs fewer resources and consumes less CPU processing time than other interfaces.
Anandeshwar Unnikrishnan, senior threat researcher at cybersecurity firm CloudSEK, tells ISMG that threat actors, especially malware developers, will eventually move away from traditional programing languages they formerly used to write malware, such as C or C++, and adopt newer languages, such as Rust, Go and Nim.
Unnikrishnan says there are plenty of reasons for malware developers to migrate to languages such as Rust, Go and Nim. But the main reasons are because these newer languages are fast and can evade static analysis of most malware detection systems.
Malware detection can be done through either static or behavioral analysis. In static detection, he says, all security endpoint systems - EDR, XDR or AV endpoints - are designed on common languages such as C++ and have a fixed set of signatures.
"When you use a programming language that isn't as widely used as C++, the signatures used for detection are not adequately updated to be able to read the pattern and deduce if a particular logic is malicious or not," he says.
According to Unnikrishnan, in a Rust or a Go compiler, when the code is converted to an executable program, the internal constructs are more complicated than their C or C++ counterparts. This gives the malware developer an edge over threat hunters when it comes to the analysis.
"It's very difficult to reverse-engineer and analyze a Go-based malware, as there are way too many code segments," he says.
Again, more than just ransomware developers are seeking such capabilities. Last May, Proofpoint researchers analyzed RustyBuer malware, and found that the code had been rewritten from Buer to Rust. The rewritten code added "anti-analysis features, strings, and encoding of command-and-control requests," they said.
What Gives Rust an Edge Over C/C++
Unnikrishnan says Rust is one of the most secure languages available today. According to an article on GeeksforGeeks, the language proved to be so effective that programmers began to turn to Rust instead of using C++ for software development. Although Rust is syntactically similar to C++, it scores more points when it comes to speed and memory safety.
A Reddit user who goes by the name RustEvangelist10xer says that writing a program in Rust is not only easy, but super-fast as well. "You could probably hack together a ransomware code in a couple of hours, with the bonus that you'll know it works," he says.
A comparison between writing a code to print "Hello World" on C++ and Rust illustrates the ease of coding and speed with Rust.
In C++:
#include
int main() {
std::cout << "Hello, world!";
return 0;
}
In Rust:
fn main() {
println!("Hello World!");
}
Better Security and Stability
Unnikrishnan says that if a script kiddie designs malware in C or C++, there are bound to be multiple vulnerabilities as both languages are prone to errors. "However, when you code in Rust, 99% of the code will be secure after compiling to an executable," he says.
Also, Unnikrishnan says that ransomware coded in Rust will not contain memory corruption or logical bugs that security researchers could exploit.
GeeksforGeeks says that Rust is a more innovative system-level language in terms of safer memory management. This is because, unlike C or C++, Rust does not allow dangling pointers or null pointers. A dangling pointer points to a deleted memory location.
The Attack Vector
The common modus operandi of the BlackCat ransomware group is network intrusion followed by the compromise of the domain controller and then execution of the ransomware code.
Unnikrishnan says that, unlike APT groups, ransomware groups such as BlackCat do not prioritize persistence. "Once they hit you, they simply steal the data and leave," he says. For this reason, he says, he hasn't observed any persistence mechanism adopted by BlackCat.
This makes it hard for traditional detection tools to accurately flag incursions. "BlackCat is known to use a variety of encryption modes, moves laterally and gains administrative privileges to spread between computers, encrypt other devices and wipe out information to prevent recovery," Crandall says.
Unnikrishnan says the group employs many access brokers to procure initial access, which is given to a team responsible for deploying the malware. For lateral movement, the group relies on group policy settings.
A Versatile Ransomware That Targets Linux and Windows
Unnikrishnan says that BlackCat developers built two versions of the ransomware - one for Linux and the other for Windows.
"The functionality aspect of BlackCat is a differentiator. I've seen the code in action - it's a very powerful tool that offers a lot of flexibility to the user by providing multiple arguments to run on a system," he says.
He adds that usually when researchers examine ransomware code, they find only one cryptographic algorithm to lock out the system, but in the case of BlackCat, the attackers use multiple encryption techniques to lock out intrusion.
What Enterprises Must Do
In the wake of the BlackCat ransomware group targeting oil transport and storage companies in Belgium, Germany and the Netherlands through a series of targeted supply chain attacks, as reported by German newspaper Handelsblatt, Dawn Cappelli, former vice president and CISO at industrial automation company Rockwell Automation, said in a LinkedIn post: "Please take this as a wakeup call if your company runs an OT environment and you do not have an integrated IT/OT cybersecurity program."
She recommends companies have their IT and security staff as well as plant managers go through the NIST cybersecurity framework, identify the most critical security gaps and work toward fixing them.
"Install security software that can detect the in-network lateral movement of an attacker," she adds.
Unnikrishnan says companies shouldn't worry about the language a malware is coded in, but instead focus on ensuring that basic security mechanisms won't allow ransomware such as BlackCat to find a way into the corporate network.
CloudSEK has issued an advisory on its site listing both Windows and Linux IOCs associated with the Alphv-ng or BlackCat ransomware.