Researchers Discover New Ransomware Group Named Luna That Uses Cross-Platform Programming Language

Kaspersky discovers a new ransomware group called Luna (photo: Kaspersky)

JAKARTA - Kaspersky researchers have discovered a new ransomware group that further underscores the trend in which ransomware actors are shifting towards cross-platform functionality.

The group, dubbed Luna, uses ransomware written in Rust, the programming language previously used by the BlackCat and Hive gangs. This allows them to easily move malware from one operating system to another. Attacks can then be aimed at multiple operating systems simultaneously.

This discovery, among other things, is part of the latest cybercrime report available on Securelist by Kaspersky. Luna is said to be able to spread malware written in Rust, its cross-platform capabilities allow groups to target Windows, Linux, and ESXi systems at once. The ad on the dark web, discovered by Kaspersky, states that Luna only works with Russian-speaking affiliates.

“The trend we outlined earlier this year seems to be starting to pick up. We are seeing more and more groups using cross-platform languages to write their ransomware,” said Jornt van der Wiel, security expert at Kaspersky.

Additionally, the ransom note encoded into binary contains several misspellings leading to the conclusion that the group may be speaking Russian. Luna is a newly discovered group, there is little data on its victimology, but Kaspersky is actively following Luna's activities.

Another investigation recently conducted by Kaspersky provided more in-depth insight into the activities of the Black Basta ransomware actor. The group executed a new ransomware variant written in C++ which was first revealed in February 2022. Since then, Black Basta has successfully attacked more than 40 victims, mainly in the United States, Europe, and Asia.

As Kaspersky investigation shows, Luna and Black Basta are targeting ESXi systems, as well as Windows and Linux, which is another ransomware trend in 2022.

ESXi is a hypervisor that can be used independently on any operating system. As many companies have migrated to virtual machines based on ESXi, it has become easier for attackers to encrypt victim data.

"The increase in attacks on ESXi virtual machines is worrying and we expect more and more ransomware families to adopt the same strategy," he added.