Luna, a new ransomware family out in the wild, is being used to encrypt devices running on Windows, Linux, and ESXi systems.

What happened?

Kaspersky security researchers discovered Luna through a dark web ransomware forum ad which was detected by the company's Darknet Threat Intelligence active monitoring system.
  •  As per the claim, Luna only works with Russian-speaking affiliates as it is designed specifically for Russian-speaking actors.
  • The ransom note, which is hardcoded inside the binary, contains spelling errors. For example, the advertisement says "a little team" rather than "a small team."
 

Encryption scheme details

Luna is simple ransomware that is still in development and has limited capabilities. Luna employs an encryption scheme that combines X25519 elliptic curve Diffie-Hellman key exchange with Curve25519 and the Advanced Encryption Standard symmetric encryption algorithm.

The cross-platform ransomware

Luna authors confirmed that cybercrime gangs have recently adopted a trend of using languages such as Rust and Golang to create malware capable of targeting multiple operating systems with minimal changes.
  • Luna’s originators developed this new strain in Rust and also took advantage of its specific design attributes and philosophies to port the ransomware to multiple platforms with minimal changes to the source code.
  • The cross-platform nature of Rust helps Luna ransomware avoid automated static code analysis 
  • Linux and ESXi samples are built from the same source code, with minor differences from the Windows version.

 

Conclusion

Despite the attacks, Kaspersky reports that there is very little data on Luna victims if any. It should be noted that the group was only recently discovered, and its activity is still being monitored. Stay tuned for more updates on Luna with daily threat intel.
Cyware Publisher

Publisher

Cyware