{ "id": "9105e956-a06e-461e-9f21-7c007df45d57", "created_at": "2026-04-06T00:21:47.101531Z", "updated_at": "2026-04-10T03:25:13.454947Z", "deleted_at": null, "sha1_hash": "0331f42c608fcc93d86fc9edd1ec09d2052fa3dd", "title": "RansomExx Ransomware upgrades to Rust programming language", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 327376, "plain_text": "RansomExx Ransomware upgrades to Rust programming\r\nlanguage\r\nBy Pierluigi Paganini\r\nPublished: 2022-11-24 · Archived: 2026-04-02 12:32:11 UTC\r\n Pierluigi Paganini November 24, 2022\r\nRansomExx ransomware is the last ransomware in order of time to have a version\r\ntotally written in the Rust programming language.\r\nThe operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of\r\ntheir malware, tracked as RansomExx2, that was ported into the Rust programming language.\r\nThe move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their\r\nransomware into Rust programming language.\r\nThe main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in\r\nmore common languages.\r\nRansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are\r\nalready working on a Windows version.\r\nRansomExx operation has been active since 2018, the list of its victims includes government agencies, the\r\ncomputer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated\r\nby the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray\r\nransomware strains.\r\nThe functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.\r\nhttps://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html\r\nPage 1 of 2\n\n“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++\r\npredecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then\r\nencrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM\r\nSecurity X-Force.\r\nThe ransomware iterates through the specified directories, enumerating and encrypting files. The malware\r\nencrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.\r\nThe RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.\r\n“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts\r\nwith Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a\r\nsignificant upgrade in functionality, the switch to Rust suggests a continued focus on the development and\r\ninnovation of the ransomware by the group,  and continued attempts to evade detection.”\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, RansomExx ransomware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html\r\nhttps://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html" ], "report_names": [ "ransomexx-ransomware-rust-language.html" ], "threat_actors": [ { "id": "bc333b03-6842-4964-a37d-99f10143bf33", "created_at": "2023-11-21T02:00:07.367885Z", "updated_at": "2026-04-10T02:00:03.46874Z", "deleted_at": null, "main_name": "DefrayX", "aliases": [ "Hive0091" ], "source_name": "MISPGALAXY:DefrayX", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0331f42c608fcc93d86fc9edd1ec09d2052fa3dd.pdf", "text": "https://archive.orkl.eu/0331f42c608fcc93d86fc9edd1ec09d2052fa3dd.txt", "img": "https://archive.orkl.eu/0331f42c608fcc93d86fc9edd1ec09d2052fa3dd.jpg" } }