Luna Ransomware

Kaspersky security researchers have disclosed details of a brand-new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language.

Luna, as it's called, is "fairly simple" and can run on Windows, Linux, and ESXi systems, with the malware banking on a combination of Curve25519 and AES for encryption.


"Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version," the Russian firm noted in a report published today.

Advertisements for Luna on darknet forums suggest that the ransomware is intended for use only by Russian-speaking affiliates. Its core developers are also believed to be of Russian origin owing to spelling mistakes in the ransom note hard-coded within the binary.

"Luna confirms the trend for cross-platform ransomware," the researchers stated, adding how the platform agnostic nature of languages like Golang and Rust are giving the operators the ability to target and attack at scale and evade static analysis.

That said, there is very little information on the victimology patterns given that Luna is a freshly discovered criminal group and its activity is still being actively monitored.

Luna is far from the only ransomware to set its eyes on ESXi systems, what with another nascent ransomware family known as Black Basta undergoing an update last month to include a Linux variant.


Black Basta is also notable for starting up a Windows system in safe mode before encryption to take advantage of the fact that third-party endpoint detection solutions may not start after booting the operating system in safe mode. This enables the ransomware to go undetected and easily lock the desired files.

"Ransomware remains a big problem for today's society," the researchers said. "As soon as some families come off the stage, others take their place."

LockBit, however, remains one of the most active ransomware gangs of 2022, often relying on RDP access to enterprise networks to disable backup services and create a Group Policy to terminate running processes and execute the ransomware payload.

"LockBit's success is also due to its developers and affiliates continued evolution of features and tactics, which include the malware's fast encryption speed, ability to target both Windows and Linux machines, its brash recruitment drives, and high-profile targets," the Symantec Threat Hunter Team, part of Broadcom Software, said in a report.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.