A new and dangerous cross-platform ransomware emerges

A new and dangerous cross-platform ransomware emerges


03 August 2022

Kaspersky researchers have uncovered a new ransomware group that further underlines the trend of ransomware actors turning to cross-platform functionality. The group, dubbed Luna, employs the use of ransomware written in Rust, a programming language that has been previously used by BlackCat and Hive gangs, among others. It allows them to easily port malware from one operating system to another. This discovery, among others, is part of the recent crimeware report available on Securelist by Kaspersky.

Luna deploys malware written in Rust – its cross-platform capabilities allow the group to aim at Windows, Linux and ESXi systems all at once. The advertisement on the dark web, spotted by Kaspersky, states that Luna only works with Russian-speaking affiliates. Moreover, the ransom note hardcoded into the binary contains some spelling mistakes – driving towards the conclusion that the group might be Russian-speaking. Since Luna is a newly discovered group, there’s still little data on its victimology – but Kaspersky are actively following Luna's activity.

Luna underlines the recent trend for cross-platform ransomware, with languages like Golang and Rust being heavily implemented by modern ransomware gangs in the past year. A notable example includes BlackCat and Hive, the latter using both Go and Rust. These languages are platform independent, so the ransomware written using them can be easily ported from one platform to another. The attacks can then be aimed at multiple operating systems at the same time.

Another investigation recently conducted by Kaspersky provides deeper insight into ransomware actor Black Basta’s activity. This group executes a new ransomware variant written in C++ which first came to light in February 2022. Since then, Black Basta has managed to attack more than 40 victims, mainly in the United States, Europe and Asia.

As Kaspersky’s investigation has shown, both Luna and Black Basta are targeting ESXi systems, as well as Windows and Linux, which is yet another ransomware trend of 2022. ESXi is a hypervisor that can be used independently on any operating system. Since many enterprises have migrated to virtual machines based on ESXi, it has become easier for the attackers to encrypt the victims’ data.

To protect yourself and your business from ransomware attacks, consider following these rules proposed by Kaspersky:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals' connections.
  • Use solutions such as Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response which can help to identify and stop the attack in its early stages, before the attackers reach their final goals.
  • To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
View them all