Luna in Rust: New ransomware group emerges using cross-platform programming language
Luna gang continues ongoing trend trend
Woburn, MA – July 20, 2022 – Kaspersky researchers have uncovered a new ransomware group, dubbing it Luna. The group continues the recent trend of ransomware actors turning to cross-platform functionality. Luna uses ransomware written in Rust, a programming language that has been previously used by BlackCat and Hive gangs, among others. It allows them to easily port malware from one operating system to another. This discovery, among others, is part of a new crimeware report available on Securelist by Kaspersky.
The cross-platform capabilities of Rust allow Luna to aim at Windows, Linux and ESXi systems all at once. Kaspersky spotted an advertisement on the dark web stating that Luna only works with Russian-speaking affiliates. Moreover, the ransom note hardcoded into the binary contains some spelling mistakes, further supporting the conclusion that the group might be Russian-speaking. Since Luna is a newly discovered group, there’s still little data on its victimology, but Kaspersky is actively following Luna's activity.
Luna furthers the recent trend toward cross-platform ransomware, with languages like Golang and Rust being heavily implemented by modern ransomware gangs in the past year. Notable examples include BlackCat and Hive, the latter using both Go and Rust. These languages are platform-independent, so the ransomware written using them can be easily ported from one platform to another. The attacks can then be aimed at multiple operating systems at the same time.
Another investigation included in Kaspersky’s new crimeware report provides deeper insight into ransomware actor Black Basta’s activity. This group executes a new ransomware variant written in C++, which first came to light in February 2022. Since then, Black Basta has managed to attack more than 40 victims, mainly in the United States, Europe and Asia.
Kaspersky’s investigations found that both Luna and Black Basta are targeting ESXi systems, as well as Windows and Linux, which is yet another ransomware trend of 2022. ESXi is a hypervisor that can be used independently on any operating system. Since many enterprises have migrated to virtual machines based on ESXi, it has become easier for the attackers to encrypt the victims’ data.
“The trends we outlined earlier this year seem to be gaining steam,” said Jornt van der Wiel, a security expert at Kaspersky. “We see more and more gangs using cross-platform languages for writing their ransomware. This enables them to deploy their malware on a variety of operating systems. The increased attacks on ESXi virtual machines is alarming and we expect more and more ransomware families to deploy the same strategy.”
Learn more about these emerging ransomware groups on Securelist.
To protect yourself and your business from ransomware attacks, consider following these rules:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals' connections.
- Use solutions such as Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response which can help to identify and stop the attack in its early stages, before the attackers reach their final goals.
- Educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal provides a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team over 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact
Sawyer Van Horn
sawyer.vanhorn@Kaspersky.com
(781) 503-1866
Luna in Rust: New ransomware group emerges using cross-platform programming language
Kaspersky
Related Articles Press Releases
Kaspersky statement on compliance in the U.S. following ICTS Final Determination
In conformity with the Final Determination by the U.S. Department of Commerce, Kaspersky announces it has stopped sales contracts of its anti-virus software and cybersecurity products in the United States ahead of July 20, 2024. Starting from September 30, 2024, Kaspersky will be prohibited from providing anti-virus signature updates and codebase updates to U.S. consumers and businesses. Until then, the company will continue fulfilling its obligations under all existing contracts. Starting from July 20, 2024 Kaspersky will also gradually wind down its U.S. operations and eliminate U.S.-based positions.Read More >