Security researchers reported the discovery of a new cross-platform ransomware strain coded to target Windows, Linux, and ESXi systems.
Meet the New Cross-Platform Luna Ransomware
Discovered by Kaspersky’s Darknet Threat Intelligence monitoring system, the so-called Luna ransomware is advertised on a darknet ransomware forum. Called Luna, the malware is written in Rust and is “fairly simple” judging by the available command line options. However, its encryption scheme is different as it involves the use of x25519 and AES, a combination not often encountered in ransomware campaigns.
“Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used,” Kaspersky said.
According to the darknet forum advertisement, Luna currently works only with Russian-speaking affiliates, and the researchers believe that the ransomware creators are also Russian.
The emergence of this new ransomware confirms the trend of cross-platform malware and ransomware, as well as the use of languages such as Golang and Rust. Another example is the BlackCat ransomware discovered last winter. The ransomware group was the first to use Rust in a malicious sample that was used in the wild.
Another example of ransomware that targets more than one operating system is HelloXD which has been carrying out double extortion attacks since November 2021.
The ransomware has multiple variants that impact both Windows and Linux systems. What distinguishes HelloXD from other, similar ransomware families is the fact that it doesn’t feature a leak site. Instead, it redirects victims to negotiate via the Tox (a p2p instant messaging protocol used by other ransomware, too) chat and onion-based messengers.