Cyberattackers are now exploiting the Rust programming language, with popular ransomware and malware families like BlackCat (ALPHV), Hive, Luna, RansomExx, and Agenda increasingly launching attacks coded in Rust. These attacks evade traditional threat detection solutions and are challenging for cybersecurity professionals to reverse engineer. It’s estimated that 10-15% of ransomware attacks today are coded in Rust.
Established in 2015 by the Rust Foundation and supported by AWS, Huawei, Google, Microsoft, and Mozilla, Rust is a powerful coding language. According to Stack Overflow’s 2023 developer survey, Rust has been “the most desired programming language” for eight consecutive years, with over 80% of developers wanting to use it.
SlashData reports there were approximately 2.8 million Rust developers worldwide in 2023, a threefold increase over the past two years. GitHub credits Rust’s popularity to its “safety, performance, and productivity” compared to other languages like C, C++, Python, and JavaScript. Sanjay Katkar, joint managing director at Quick Heal Technologies, highlighted Rust’s crucial advantage of memory safety, which prevents buffer overflows. Additionally, Rust offers concurrency and zero-cost abstractions, enabling developers to write efficient and thread-safe code.
“Rust compilers make it very complex to reverse engineer any kind of a malicious binary that has been coded,” said Anshuman Sharma, director of cybersecurity consulting services at Verizon Business. “The detection or autopsy of a malicious binary becomes complex and time-consuming.”
The Luna predator group, for example, is using two encryption algorithms within the same malware—Diffie-Hellman and AES encryption—an unprecedented approach. “This makes it complex for generally used debuggers and disassemblers to reverse engineer and see what the code is doing,” Sharma said.
“Cybersecurity researchers have uncovered various instances of Rust-based malware, including remote access trojans targeting Windows systems and backdoors with cross-platform capabilities,” said Vaibhav Tare, chief information security officer at Fulcrum Digital.
“The absence of memory leaks or crashes ensures that the ransomware remains persistent and effective, making it harder for detection and removal by security tools,” added Quick Heal’s Katkar.
As traditional defense mechanisms struggle to detect and mitigate threats built with modern programming languages, organizations need to invest “in advanced threat detection techniques, threat intelligence sharing, and collaboration among security researchers,” said Katkar. Next-gen anti-malware systems can detect and suppress “even the most well-obfuscated pieces of malware – regardless of the programming language used,” noted Aaron Bugal, field chief technology officer – APJ at Sophos.