- A new ransomware called Luna was discovered by cyber security researchers written in Rust language and targeting Russian affiliates.
- Luna is relatively simple, it uses a combination of Curve25519 and AES for the encryption scheme while Linux and ESXi use the same source code with small differences.
- The researchers expect new variants to support the encryption of virtual machines by default.
Kaspersky security researchers monitored a brand-new ransomware family written in Rust called ”Luna” on darknet ransomware forums. It infects Windows, Linux, and ESXi systems and only works with Russian-speaking branches.
Brand-new ransomware is written in Rust
Kaspersky security researchers were alerted to Luna via an advertisement on a hacker forum. It is written in Rust language and runs on Windows, Linux, and ESXi systems. Current ransomware developers often use languages like Golang and Rust such as BlackCat and Hive. So it is no surprise that the newly created, Luna follows these trends. The ransomware written in these languages can be easily moved from one platform to another. The attacks can target different operating systems at once. Additionally, cross-platform languages support evading static analysis.
Based on this knowledge, the researchers went on their monitoring to find further details about Luna. The group states that although Luna is relatively simple, it uses a combination of Curve25519 and AES for the encryption scheme. Linux and ESXi samples are also using the same source code with only small changes from the Windows version. The ransomware is intended for use only by Russian-speaking affiliates as per an advertisement published on the darknet forums. It is believed that the actors may be of Russian origin. The researchers said;
«Also, the ransom note hardcoded inside the binary contains spelling mistakes. For example, it says “a little team” instead of “a small team”. Because of this, we assume with medium confidence that the actors behind Luna are speakers of Russian.»
Kaspersky researchers reported another relatively new ransomware called Black Basta written in C++ and targeting ESXi systems. The malware was first noticed in February 2022. Since then it grew mature and added new functionality for starting up the system in safe mode before encryption was added and mimicking Windows Services for persistence reasons.
The researchers wrote in a blog post that there is a growing trend of ransomware creators targeting ESXi systems. Since Luna is recently been discovered, there is little data on its targets. However, both Luna and Black Basta aim to cause as much damage as possible, and they expect new variants to support the encryption of virtual machines by default.