Rust-Based Ransomware Variants Increase Speed and Stealth


September 13, 2023

World map

Researchers documented a new ransomware strain dubbed “3AM” that was used as a secondary payload in an attack after an attempt to deploy LockBit ransomware on a targeted network failed.

It was assessed that 3AM is written in the Rust programming language and does not appear to be unrelated to any other known ransomware families.

“Before starting to encrypt files, 3AM tries to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec,” Bleeping Computer reports.

“Once the encryption process completes, files have the .THREEAMTIME extension and the malware also attempts to delete Volume Shadow copies that could be used to recover the data.”

Takeaway: More ransomware variants written in the Rust language continue to emerge in the wild, which should be concerning for security teams, as Rust allows for advanced evasion capabilities by disabling security tools and evading sandbox analysis.

Rust a secure programming language that offers exceptional performance for concurrent processing and cross-platform development, superior memory management and compilation speeds versus languages like C++ and Golang, and leveraging Rust makes extraction of a decryptor key much more difficult to achieve.

BlackCat/ALPHV was the first ransomware group using Rust back in 2021 followed by the Hive ransomware gang, and other Rust-based variants have been observed from groups like RansomExx, Nokoyawa, and Qilin.

The emergence of the Rust-based 3AM ransomware family is strong evidence that ransomware operators continue to put a considerable amount of resources into development and the advancement of their capabilities.

The cross-platform capabilities Rust provides also means we are likely to see more variants designed to target Linux systems. With groups like Icefire, LockBit, Black Basta and Cl0p targeting Linux environments, we can expect some attacks to cause widespread disruptions across several key sectors, impacting a larger population of collateral victims.

Attacks on Linux systems are potentially devastating and have a broad impact, and the greater the pain these threat actors can bring to targets, the more they anticipate they can demand in ransom payments.

Linux is favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and even the backbone of the internet.

The continued development of ransomware variants written is Rust – particularly those targeting Linux systems - is something we should definitely keep an eye on. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.