Rust-Based Ransomware is Advancing on MSPs

Ransomware isn’t going anywhere, and Managed Service Providers (MSPs) are at the forefront of the battle against cyber-criminals, responsible for protecting themselves and their clients — many of whom are small and medium-sized businesses (SMBs). Ransomware continues to be one of the most critical cyber threats and its impact is only growing. According to IBM’s Cost of a Data Breach Report 2023, ransomware breaches are not only becoming more frequent but also more expensive, with an average cost of $4.35 million per incident. MSPs, given their broad access to multiple client environments, have become prime targets, making it essential for them to stay informed and ready.

The growing ransomware threat cannot be understated. MSPs are trusted by SMBs to provide robust cybersecurity, but ransomware has proven it can beat the best of em’. Verizon’s 2023 Data Breach Investigations Report highlights that ransomware accounts for 24% of all breaches, underscoring its prevalence. The consequences of a ransomware attack can be catastrophic, with the potential to cripple not just one organization, but multiple businesses connected through an MSP.

Rust-based ransomware is a newer trend among cybercriminals, marking a shift from more traditional programming languages like C and C++. Rust, first released in 2015, has gained significant traction due to its performance, safety features, and cross-platform capabilities. Ransomware operators are now using Rust to develop more potent variants that are harder to detect and analyze.

One of the key reasons for this shift is Rust’s complex memory model, which makes it difficult for security researchers to reverse-engineer malware. Moreover, Rust’s cross-platform nature allows cybercriminals to target multiple operating systems with the same codebase, making attacks more efficient and cost-effective.

Much like their predecessors, Rust-based ransomware operators focus on high-value targets, often using the double-extortion tactic where they steal and encrypt data, threatening to leak it if the ransom is not paid. Industries such as manufacturing, healthcare, and finance are frequently in the crosshairs due to their reliance on continuous operations and their sensitivity to downtime. Geographically, North America has been a major target, as observed in many attacks involving Rust-based ransomware variants.

Several ransomware groups have adopted Rust to improve the efficiency and effectiveness of their attacks. Let’s take a look at four prominent examples:

1. BlackCat (ALPHV): Active since 2021, BlackCat (ALPHV) is a notorious Rust-based ransomware variant that operates as Ransomware-as-a-Service (RaaS), allowing affiliates to share profits. It’s highly versatile, targeting Windows, ESXi, and Linux, and frequently updates its tools like Exmatter for data exfiltration. The FBI’s 2023 takedown of its leak site highlights the ongoing battle with law enforcement.
2. Hive Ransomware: Discovered in 2021, Hive switched from Golang to Rust after vulnerabilities in its original code were exploited. Known for major attacks on healthcare institutions, including the Costa Rican government, Hive’s operations were disrupted by law enforcement in 2023, but it showcases how ransomware groups quickly evolve.
3. Hunters International: Debuting in 2023, Hunters International is likely a rebrand of Hive, using similar code but claiming independence. Written in Rust, it employs double extortion but also features new encryption methods like ChaCha20 and RSA. The group targets both Windows and Linux, sometimes opting for exfiltration over encryption.
4. Cicada3301: The newly discovered Cicada3301 ransomware in mid 2024, written in Rust, has surfaced as a significant threat, drawing parallels to the infamous BlackCat strain. It targets small to medium-sized businesses, primarily in North America and England, by exploiting vulnerabilities to gain access. Cicada3301 distinguishes itself with advanced credential integration tactics and has bypassed top-tier EDR solutions.

See more on Cicada in this reverse engineering video done by Blackpoint APG.

Rust-based ransomware represents the next frontier in ransomware attacks. By leveraging Rust’s complexity and cross-platform capabilities, threat actors have found a way to outpace traditional defense measures. As MSPs continue to be targeted due to their access to multiple organizations, it is crucial for them to remain vigilant, stay updated on the latest ransomware trends, and ensure robust defenses are in place.

MSPs must invest in proactive cybersecurity measures such as advanced threat detection, regular patch management, and robust backup strategies to minimize the impact of potential ransomware incidents. Ransomware is not going away, but by staying ahead of the curve, MSPs can better protect themselves and their clients from these evolving threats.

In the world of anonymous algorithms and advancing cyber threats, the battle against Rust-based ransomware is just beginning. Stay prepared—because the next wave of ransomware is already here.