The Luna Ransomware
A new family of ransomware that has been given the name Luna is capable of encrypting data on devices that are running a variety of operating systems, including Windows, Linux, and ESXi.
Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors, as indicated by the fact that it was discovered by Kaspersky security researchers via an ad posted on a ransomware forum on the dark web, which was spotted by the company’s Darknet Threat Intelligence active monitoring system.
In the commercial, it is stated that Luna would only collaborate with affiliates that speak Russian. In addition to that, the ransom message that is hardcoded into the binary has certain typographical errors, Kaspersky stated.
Because of this, the researchers have a fair amount of confidence in the assumption that the people behind Luna are Russian language native speakers.
The ransomware known as Luna (which gets its name from the Russian word for moon) appends the .luna extension to any and all files that have been encrypted. As per the initial analysis, the malware is quite basic and is currently in the development stage. Its capabilities are restricted depending on the command line options that are available.
However, Luna ransomware employs a not-so-common encryption method, which combines the Advanced Encryption Standard (AES) symmetric encryption algorithm with a fast and secure X25519 elliptic curve Diffie-Hellman key exchange utilizing Curve25519. This creates encryption that is both quick and strong.
Cross-platform ransomware based on the Rust programming language
The research reveals that this new strain of ransomware was built in Rust by the gang that is responsible for it, and they took use of the fact that Rust is platform-agnostic so that they could convert it to numerous systems with very little modifications to the source code.
By using a language that is compatible with several platforms, the Luna ransomware is able to bypass security efforts at automated static code analysis.
The researchers also said that the source code for the Linux and ESXi examples is identical, therefore the only difference between them and the Windows version is the few tweaks that have been made. The remainder of the code has not undergone any major modifications since the Windows version.
Luna provides additional evidence that validates the most recent pattern followed by cybercriminal organizations in the development of cross-platform ransomware. These organizations employ programming languages such as Rust and Golang to develop malware capable of targeting multiple operating systems with minimal to no modifications.
According to Kaspersky, there is very little data available on what victims have had their files encrypted by the Luna ransomware if any at all. This is due to the fact that the organization was only just found, and its behavior is still being watched.