{ "id": "49783f65-baf5-45ee-a857-e9560b7b6d88", "created_at": "2026-04-06T01:30:28.393583Z", "updated_at": "2026-04-10T03:25:13.453243Z", "deleted_at": null, "sha1_hash": "bf345a5e28f1e744b6ab9e01dc0f11e82fc42cf2", "title": "RansomExx upgrades Rust", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59527, "plain_text": "RansomExx upgrades Rust\r\nBy Charlotte Hammond\r\nPublished: 2022-11-22 · Archived: 2026-04-06 01:15:14 UTC\r\nIBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has\r\nbeen rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to\r\nthe language.\r\nMalware written in Rust often benefits from lower AV detection rates (compared to those written in more common\r\nlanguages) and this may have been the primary reason to use the language. For example, the sample analyzed in\r\nthis report was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission.\r\nAs of the time of writing, the new sample is still only detected by 14 out of the 60+ AV providers represented in\r\nthe platform.\r\nRansomExx is operated by the DefrayX threat actor group (Hive0091), which is also known for the PyXie\r\nmalware, Vatet loader, and Defray ransomware strains. The newly discovered ransomware version is named\r\nRansomExx2 according to strings found within the ransomware and is designed to run on the Linux operating\r\nsystem. The group has historically released both Linux and Windows versions of their ransomware, so it is likely\r\nthat a Windows version is also in the works.\r\nRansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++\r\npredecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then\r\nencrypts files using AES-256, with RSA used to protect the encryption keys.\r\nThe Rust programming language has been steadily increasing in popularity among malware developers over the\r\ncourse of the past year, thanks to its cross-platform support and low AV detection rates. Like the Go programming\r\nlanguage, which has experienced a similar surge in usage by threat actors over the past few years, Rust’s\r\ncompilation process also results in more complex binaries that can be more time-consuming to analyse for reverse\r\nengineers.\r\nSeveral ransomware developers have released Rust versions of their malware including BlackCat, Hive, and Zeon,\r\nwith RansomExx2 being the most recent addition. X-Force has also analysed an ITG23 crypter written in Rust,\r\nalong with the CargoBay family of backdoors and downloaders.\r\nThe newly identified RansomExx2 sample has MD5 hash 377C6292E0852AFEB4BD22CA78000685 and is a\r\nLinux executable written in the Rust programming language.\r\nNotable source code path strings within the binary indicate that the ransomware is a variant of RansomExx and\r\nlikely named RansomExx2.\r\n/mnt/z/coding/aproject/ransomexx2/ransomexx/src/parallel_iter.rs\r\nransomexx/src/ciphers/aes256_impl.rs\r\nhttps://securityintelligence.com/x-force/ransomexx-upgrades-rust/\r\nPage 1 of 3\n\nransomexx/src/footer.rs\r\nransomexx/src/logic.rs\r\nransomexx/src/ransom_data.rs\r\nThe website operated by the ransomware group has also been updated with the page title now listed as\r\n‘ransomexx2’.\r\nFigure 1 — A screenshot of the ransomware group’s website showing the page title configured as ‘ransomexx2’\r\nOverall, the functionality of this ransomware variant is very similar to previous RansomExx Linux variants.\r\nThe ransomware expects to receive a list of directory paths to encrypt as input. If no arguments are passed to it,\r\nthen it does not encrypt anything. The following command line format is required by the ransomware in order to\r\nexecute correctly.\r\n\u003cransomexx2_sample\u003e –do \u003ctarget_path_to_encrypt\u003e\r\n[\u003cadditional_paths_to_encrypt\u003e (optional)]\r\nUpon execution, the ransomware iterates through the specified directories, enumerating and encrypting files. All\r\nfiles greater than or equal to 40 bytes are encrypted, with the exception of the ransom notes and any previously\r\nencrypted files.\r\nEach encrypted file is given a new file extension. It is common for RansomExx ransomware file extensions to be\r\nbased on a variation of the target company name, sometimes followed by the numbers such as ‘911’ or random\r\ncharacters.\r\nA ransom note is dropped in each directory where file encryption occurs. The ransom note is named:\r\n!_WHY_FILES_ARE_ENCRYPTED_!.txt\r\nThe contents of this note are as follows:\r\nHello!\r\nFirst of all it is just a business and the only thing we are interested in is money.\r\nAll your data was encrypted.\r\nPlease don’t try to modify or rename any of encrypted files, because it can result in serious data lo\r\nHere is your personal link with full information regarding this accident (use Tor browser):\r\nhttp://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/\u003cvictim_id\u003e/\r\nFiles are encrypted using AES-256 and a randomly generated key. The AES key is itself encrypted using RSA and\r\na hardcoded public key, and appended to the end of the encrypted file. As a result of this encryption method, the\r\nhttps://securityintelligence.com/x-force/ransomexx-upgrades-rust/\r\nPage 2 of 3\n\ncorresponding RSA private key, held by the attacker, would be required to decrypt the files.\r\nThe following RSA public key was used in the analysed sample:\r\n—–BEGIN PUBLIC KEY—–\r\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnU8bw0DQKJjkX1QWFUM8\r\no52NWkUNz4zvrGRJEwhGpJZ99ho0A/BqG5kK7X9pq3GOICD3+6g928JBo6d/3cNM\r\nQl5lS0LaZN3bxgiNPCWFEnYjLAagRMmi8unfZmGLjc3DDKT62Q0hrI86s1zB3ZhX\r\n6biNhXmwMaKEenpuqRBzGDqmIP9Uc9jK75SqF9T7nK1L9j+nKhYqWpeRDjDuvYPY\r\nXHdstU0TN/OmKvPosiQaIrcIs2MNQXP7rLtMbr9knJucwLymCkF+IpMky/NTKt3u\r\nDR+OJZZMSbmWCBATmz7P9E9Vp8jwrLzhMzEgs0G8yeseMQ2ZpZEm+MKabqkro74M\r\nxldocxoK2AL51ZE8c5TLYGOYbG2PAsdk/rlyRDk1diI07mCw/R4RlPcJRFDJO1eF\r\nb1A8yp6pQjD7rg+Y38b0Z8AZzmf3aKj2B8sHOtKoNR8hKJQRtWhqKAgpQtsJY81/\r\n2SaMLdU7yOqY34QWrGwiRei1WoJKzeyMvJjzmbTbYQYePxlbWeoV/fJ0P0IboYPH\r\niZ+WzXGG5Cxf7+zfZiCrbZuMqgCZdqc6ntQRcZqvw66a2Pxx4dO8AmGmxIJNzDnK\r\nlA6CHTwDeH7BgzYDD3IJxA7ofAAzqpw8H2eyRxsqLKTI2SAnmFqk85xpxWptmhOS\r\nBshihPaOu5a2ZXaPDeg6Lw8CAwEAAQ==\r\n—–END PUBLIC KEY—–\r\nElements such as RSA key, file extension, and the ransomware note name and contents, are encrypted within the\r\nbinary and decrypted by xoring the encrypted data with an equal-sized key.\r\nX-Force assesses it is highly likely that more threat actors will experiment with Rust going forward. RansomExx\r\nis yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and\r\nBlackcat). While these latest changes by RansomExx may not represent a significant upgrade in functionality, the\r\nswitch to Rust suggests a continued focus on the development and innovation of the ransomware by the group,\r\nand continued attempts to evade detection.\r\nTo schedule a no-cost consult with X-Force, click here.\r\nIf you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 |\r\nGlobal hotline (+001) 312-212-8034.\r\nSource: https://securityintelligence.com/x-force/ransomexx-upgrades-rust/\r\nhttps://securityintelligence.com/x-force/ransomexx-upgrades-rust/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityintelligence.com/x-force/ransomexx-upgrades-rust/" ], "report_names": [ "ransomexx-upgrades-rust" ], "threat_actors": [ { "id": "bc333b03-6842-4964-a37d-99f10143bf33", "created_at": "2023-11-21T02:00:07.367885Z", "updated_at": "2026-04-10T02:00:03.46874Z", "deleted_at": null, "main_name": "DefrayX", "aliases": [ "Hive0091" ], "source_name": "MISPGALAXY:DefrayX", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439028, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf345a5e28f1e744b6ab9e01dc0f11e82fc42cf2.pdf", "text": "https://archive.orkl.eu/bf345a5e28f1e744b6ab9e01dc0f11e82fc42cf2.txt", "img": "https://archive.orkl.eu/bf345a5e28f1e744b6ab9e01dc0f11e82fc42cf2.jpg" } }