Why Bad Actors are Transitioning to Rust

Round and round we go. It’s the nature of cybersecurity. Hackers discover an exploitable attack avenue, and a patch is then created to block it, except it doesn’t end there. Hackers just find another vulnerability and the battle rages on. It’s not just cybersecurity companies that must constantly innovate to remain relevant. Hackers must do the same in the cat and mouse struggle in which the mouse strives to operate undetected by the cat.

As well-known management consultant, Peter Drucker, once said, “Innovate or die.” Whether it’s ransomware, denial-of-service attacks, or data scraping breaches, the hacking community never remains idle. They have talent and resources too, which makes them a formidable foe. While having the right tools is essential to protect your network resources, cybercriminals are constantly striving to find new ways to subvert those tools. The practice of purchasing a new best-of-bred tool to combat each new threat only adds to the futility of the cycle.

BlackCat’s Rise Towards the Top

Over the years we have witnessed an order reshuffling of the biggest cybersecurity vendors as things change in the security industry. Similarly, ransomware groups also rise in stature and prominence, only to one day fall for one reason or another. A case in point is the BlackCat organization that offers its services under the Ransomware-as-a-Service model. BlackCat came out of nowhere almost overnight in 2020 and quickly become the seventh most prominent ransomware operation in the world. Some of their popularity can be attributed to their generous 80% cut to their affiliates. They also vet all their affiliates and provide extensive training resources to ensure these partners have the know-how to see their attacks through to the end. However, for those affiliates to see their money, BlackCat must have the right technology innovation. One of the primary reasons for their sudden rise in prominence is their use of a new programming language called Rust.

Rust Innovation

Using alternative programming languages is nothing new for malware creators. Rust is just the latest example. Rust was created back in 2010 as an alternative language to C++ and was used in multiple desktop software applications including Mozilla Firefox. It has the reputation for being very fast due to its memory efficiency, which also makes it more stable. This practice of utilizing a legitimate tool for malicious purposes is nothing new either. A great example is the use of NPM packages by cybercriminals for malevolent deeds. BlackCat’s Rust enabled version features a command line interface that makes it ideal for handling repetitive tasks while also offering the ability to add or remove functions as needed.  The Rust coding platform consumes minimal resources, so it can be run on just about any device. While ransomware is still traditionally coded with C, C++, and an open programming language called GoLang, BlackCat was the first to utilize Rust. They aren’t the only ones, however. Microsoft recently released a notification that Hive Ransomware, which is barely a year old, is also using Rust.

The Evasive Nature of Rust

While its performance and functionality are definite draws for BlackCat and other criminal organizations, the primary benefit is its ability to evade conventional endpoint security solutions. It seeks out a list of services and processes associated with well-known security solutions and tools that may obstruct the attack. Rust also makes it tougher for malware companies to reverse engineer it. Rust enabled ransomware attacks seeking out backup systems to destroy the backups and render their ability to restore files to production status. For a typical small business, all of this goes on undetected.

BlackCat Ransomware offers actors up to four different encryption modes such as full file encryption and fast encryption which only encrypts the first X number of megabytes. Attackers can encrypt files according to file location, file type, and file size. It also uses a different approach to encrypting the files. Rather than embedding an encrypted key in each encrypted file, the files are generated in memory. Once the encryption process is complete, the keys are then written to the encrypted drive root.

New Code Type but Same Behavior

There are some things that every type of cyberattack has in common. They are all reliant on some type of backdoor that allows external actors to perform command and control operations. All ransomware attacks are also dependent on some type of payload download. They depend on laterally moving across the network to spread their mayhem. In other words, regardless of what programming language they utilize, they behave pretty much the same, which means that their behaviors can be identified. If you can kill the command-and-control connection, you eliminate the ability of external attacks to act upon their attack. Thwarting an attack at its beginning is key to containing it, if not stopping it entirely. You just need a set of watchful eyes that know what to look for.

Why a SOC is the Great Equalizer

So, while external threat actors can utilize new innovative trends to evade traditional security tools, security experts are all too familiar with the current tactics that ransomware uses. This is where the value of a security operations center (SOC) comes into play. Partnering with a SOC doesn’t require you to purchase a new set of best-of-breed tools. A SOC can leverage the client’s existing security systems in place while integrating SIEM technology and a dedicated security team with expertise in strategic monitoring, proactive threat hunting, and forensic investigation.  For MSPs and MSSPs, a SOC allows them to take their protection services to the next level, expanding their knowledge base and getting them easy access to advanced security skill sets.


There will always be a new wrinkle introduced by hackers in their quest come out ahead in the perpetual struggle against cybersecurity defenses. Today it happens to be a new programming platform and tomorrow it will be something else. The key is to ensure that your business remains as proactive as possible. Hackers and malware creators will continue to evade traditional tools and conceal their intentions, but the addition of a SOC will ensure that their attempts to infiltrate your network remain just that.

Sign Up for Updates