New Luna ransomware targets Windows, Linux and ESXi systems

Kaspersky researchers discovered a new ransomware family written in Rust, named Luna, that targets Windows, Linux, and ESXi systems.

Researchers from Kaspersky Lab detailed a new ransomware family named Luna, which is written in Rust and is able to target Windows, Linux, and ESXi systems.

Luna ransomware is the third ransomware family that is written in Rust language, other malware strains are BlackCat and Hive.

The Luna ransomware was first spotted in June by the Kaspersky Darknet Threat Intelligence active monitoring system that spotted a new advertisement on a darknet ransomware forum. The adv states that the ransomware only works with Russian-speaking affiliates. 

According to the experts, who analyzed the command line options for the ransomware, Luna is fairly simple. The encryption scheme is unusual because it combines x25519 and AES.

The researchers noticed that the Windows version has minor changes compared with both the Linux and ESXi samples, which are compiled using the same source code.

The presence of spelling mistakes in the ransom note hardcoded in the binary of the ransomware suggests that the actors behind Luna ransomware are Russians. 

“Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.” reads the report published by Kaspersky.

Researchers also provided details about another ransomware operation, named Black Basta, which updated its malware to target ESXi systems.

Researchers from Uptycs first reported the discovery of the new Black Basta ransomware variant that supports encryption of VMWare ESXi servers.

The move aims at expanding potential targets, the support for VMware ESXi was already implemented by many ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

The ransomware appends the .basta extension to the encrypted filenames and create ransom notes named readme.txt in each folder.

Kaspersky researchers reported that operators implemented a new functionality that relies on starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

Starting Windows system in safe mode allows Black Basta to bypass detection from multiple endpoint security solutions.

“The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted.” concludes the report. “A trend, which we also discussed in our previous blog post, is that ESXi systems are increasingly targeted. The aim is to cause as much damage as possible. Luna and Black Basta are no exceptions. We expect that new variants will support encryption of VMs by default as well.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Luna ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]