Attivo Networks Blogs

Why Ransomware Groups Such as BlackCat Are Turning to Rust

The BlackCat ransomware group, also known as Alphv, has garnered attention from security researchers the world over following a chain of successful exploits in the U.S., France, Spain and the Philippines over a two-month timespan. Its most recent victims were oil terminals in Belgium, Germany and the Netherlands.

There are indicators to show that BlackCat is a successor to the BlackMatter and DarkSide ransomware groups. Reports show that BlackCat operators previously worked for the BlackMatter and DarkSide ransomware families (see: Ransomware: Alphv/BlackCat Is DarkSide/BlackMatter Reboot).

Unit 42’s analysis and researchers from cybersecurity firms Attivo Networks and CloudSEK tell Information Security Media Group that a key factor in BlackCat’s recent success is new ransomware code written in Rust that adds detection evasion capabilities, better security and versatility, which allow threat actors to attack both Linux and Windows systems.

The trend of ransomware groups switching to malware written in newer, unconventional languages has been observed as far back as 2014, when VirusBulletin reported how Visual Basic 6 was considered to be one of the “most hated binaries” owing to the complexity of reverse-engineering the code to analyze malware.

Ransomware developers aren’t the only ones to seek new approaches. Last July, the Blackberry Threat Intelligence Team released a report detailing how developers behind the Adwind Remote Access Trojan turned to the platform-agnostic Java language to target various operating systems. A similar tactic was involved in ransomware attacks attributed to APT29, aka Cozy Bear.

Rust Helps Evade Static Analysis

Rust has been around for over a decade. Designed by Graydon Hoare during his stint at Mozilla Research, Rust was developed in 2010 to enhance the performance of Mozilla Firefox. The Rust website describes the programming language as being “blazingly fast and memory-efficient.”

BlackCat’s migration to Rust, which can run on embedded devices and integrate with other languages, comes as no surprise to Carolyn Crandall, chief security advocate at network security specialist Attivo Networks. She tells ISMG that attackers are always going to innovate with new code that is designed to circumvent endpoint defense systems.

Crandall says BlackCat ransomware is “extremely sophisticated” because it is human-operated and command line-driven.

blog post by says that in addition to being fast and efficient, a command line interface is better at handling repetitive tasks, needs fewer resources and consumes less CPU processing time than other interfaces.

Read the full article on Bank Info Security.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

four × 2 =

Ready to find out what’s lurking in your network?

Scroll to Top