New Rust-Based Ransomware Family Targets Windows, Linux, and ESXi Systems — The Hacker News


Kaspersky’s security researchers have revealed details of a brand new ransomware family written in Rust, making it the third species after BlackCat and Hive to use the programming language.

Luna, as it’s called, is “fairly simple” and can run on Windows, Linux, and ESXi systems, with the malware running on a combination of Curve25519 and AES for encryption.

“Both the Linux and ESXi samples are compiled from the same source code with some minor changes from the Windows version,” the Russian company says. noted in a report published today.

Advertisements for Luna on darknet forums suggest that the ransomware is only intended for use by Russian-speaking partners. It is also believed that the core developers are of Russian origin due to spelling errors in the ransom note which is hard coded in the binary file.

“Luna confirms the trend for cross-platform ransomware,” the researchers said, adding how the cross-platform nature of languages ​​like Golang and Rust gives operators the ability to target and attack at scale and bypass static analysis.

That said, there is very little information about the patterns of victimology, as Luna is a newly discovered criminal group and its activities are still actively monitored.

Luna is far from the only ransomware to have its eyes on ESXi systems, with another emerging ransomware family known as Black Basta updated with a Linux variant last month.

Black Basta is also notable for booting a Windows system in safe mode for encryption to taking advantage from the fact that third-party endpoint detection solutions may not start after booting the operating system in safe mode. This allows the ransomware to go undetected and easily lock the desired files.

“Ransomware remains a major problem for today’s society,” the researchers said. “Once some families come off the stage, others take their place.”

However, LockBit remains one of the most active ransomware gangs of 2022, often relying on RDP access to corporate networks to disable backup services and Group Policy to terminate running processes and execute the ransomware payload.

“LockBit’s success is also due to the developers and affiliates’ continued evolution of features and tactics, including the malware’s high encoding speedthe ability to target both Windows and Linux machines are brash recruiting and high-profile targets,” the Symantec Threat Hunter Team, part of Broadcom Software, said in a report.