Kaspersky researchers have identified a new ransomware group that further underlines the trend towards using cross-platform functionalities. The Luna group uses ransomware written in Rust. It allows malware to be easily adapted from one operating system to another.
Using malware written in Rust, Luna can attack Windows, Linux, and ESXi systems at once. The Dark Web ad spotted by Kaspersky states that Luna only works with Russian-speaking partners. In addition, the ransom note hardcoded in the binary contains some misspellings, suggesting that the group may be Russian-speaking. Since Luna is a newly discovered group, data on their victimology is still scarce - however, Kaspersky is actively monitoring Luna's activities.
A ransomware for many platforms
Luna's discovery highlights the recent trend towards cross-platform ransomware; Languages like Golang and Rust have been used extensively by modern day ransomware gangs for the past year. These include BlackCat and Hive, among others, with the latter using both Go and Rust. These programming languages are platform-independent, so ransomware written with them can be easily ported to other platforms. The attacks can thus be directed at several operating systems at the same time.
New ransomware variant from actor Black Basta
Another recent investigation by Kaspersky provides a deeper look into the activities of ransomware actor Black Basta. This group runs a new ransomware variant, written in C++, that was first discovered in February 2022. Since then, Black Basta has managed to attack more than 40 victims - mostly in the United States, Europe and Asia.
Kaspersky's research shows that both Luna and Black Basta target ESXi systems as well as Windows and Linux - another ransomware trend of 2022. ESXi is a hypervisor that can be used independently of other operating systems. With many companies using ESXi-based virtual machines, it has become easier for attackers to encrypt their victims' data.
"The trends we outlined earlier this year seem to be strengthening," said Jornt van der Wiel, security expert at Kaspersky. “We see more and more cybercriminal gangs using cross-platform languages to develop their ransomware. This allows them to deploy their malware on a variety of operating systems. The increasing attacks on ESXi virtual machines are alarming. We expect more and more ransomware families to use this strategy.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/