Luna ransomware encrypts Windows, Linux and ESXi systems
Ransomware is making headlines daily. New samples are introducing new techniques, more sophistication and anti-detection techniques to hide their detection from the cybersecurity radar.
One of the most recent examples is the Luna ransomware, shortly documented by Kaspersky. The ransomware was discovered in June 2022 on underground forums, and it seems that it is in development by Russian actors. "The advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded inside the binary contains spelling mistakes," says the Kaspersky research team.
Become a certified reverse engineer!
The ransomware has a command-line interface with simple features implemented, as observed below.
Figure 1: Luna (the Russian word for moon) command line interface.
Luna is developed in the Rust language, such as other notable ransomware families: Hive and BlackCat. Using the Rust language, criminals obtained a set of advantages from the detection point of view. As announced on the Rust website, it provides:
- A language empowering everyone to build reliable and efficient software
- High performance because Rust is fast and memory efficient
- It provides great documentation, a friendly compiler with useful error messages and top-notch tooling
- It is cross-platform
A clear motivation from the criminals' point of view is the cross-platform feature, as it allows the development of a ransomware piece that can be used in different operating systems, such as Windows, Linux and ESXi systems. Rust is also memory efficient, and the ransomware code does not remain static, making its detection hard, another advantage of Rust within the malware landscape.
Encryption process
Luna ransomware is using a not common encryption combination, taking advantage of the fast and secure X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm, as mentioned by Kaspersky.
The extension .luna is appended to all encrypted files during the encryption process, but the ransomware capabilities are still under development.
Figure 2: Luna sample and damaged files with the .luna extension appended to the file name.
An interesting detail observed during this analysis is that Luna's source code seems to be adapted to the Russian language, probably indicating the group’s targets are not part of the former USSR (Union of Soviet Socialist Republics). Within this context and to corroborate the previous thought, the ransomware note is written in American English, with some grammatical errors probably indicating an automatic translation from another language.
Figure 3: Luna ransomware note.
Regarding the Linux and ESXi samples, the same source code is used to compile both versions, with minor changes performed during the build process.
Understanding Luna ransomware
Using exotic languages like Rust demonstrates a significant trend in the ransomware landscape. Luna is the perfect example, with the criminals’ groups developing cross-platform ransomware families to cause the highest damage during the encryption process and target different operating systems. Rust and Goland are criminals' most popular programming languages to develop new threats.
In this sense, monitoring must be in place to reduce the potential damage of a ransomware incident, as well as to spotlight the threat on the cyber security radar and thus allow a fast and efficient containment of the threat.
Sources:
- Luna ransomware, Kaspersky
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Luna ransomware encrypts Windows, Linux and ESXi systems
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis