A new ransomware family written in Rust has been discovered by Kaspersky security researchers, making it the third strain after BlackCat and Hive to do so.
The malware, dubbed Luna, is “fairly simple,” can run on Windows, Linux, and ESXi systems, and relies on Curve25519 and AES for encryption.
The Russian company stated in a report released today that “both the Linux and ESXi samples are compiled using the same source code with a few minor changes from the Windows version.”
Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the binary, its core developers are also thought to be of Russian descent.
Luna “confirms the trend for cross-platform ransomware,” the researchers wrote, pointing out how operators are able to target and attack at scale while avoiding static analysis thanks to the platform independence of languages like Golang and Rust.
Nevertheless, given that Luna is a recently identified criminal organization and its activity is still being actively monitored, there is very little knowledge available regarding the victimology patterns.
Since another emerging ransomware family called Black Basta underwent an update last month to include a Linux variant, Luna is by no means the only ransomware to target ESXi systems.
In order to take advantage of the possibility that third-party endpoint detection solutions won’t launch after booting the operating system in safe mode, Black Basta is notable for starting up a Windows system in safe mode before encryption. Because of this, the ransomware can easily lock the desired files while remaining undetected.
The most active ransomware gang in 2022 is still LockBit, which frequently uses RDP access to corporate networks to disable backup services, create a Group Policy to end running processes and execute the ransomware payload.
