Search This Blog

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

In to keep its double-extortion tactics, both ransomware are known for collecting data from their victims' networks before encrypting their computers.
Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Share it:

Cyber Secuirty

Cyber Security

Darknet

Double extortion

Linux

Ransomware Attacks.

Russian Hacker

VMware