A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems. Kaspersky security researchers discovered Luna via an advertisement on a dark web forum, which specifically stated that Luna is to be used only by Russian-speaking affiliates. Luna is still in the development phase and is considered to be a simple ransomware with limited capabilities. However, it uses a not-so-common encryption scheme, combining fast and secure X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm.
This new strain was developed in Rust and the group responsible took advantage of its platform-agnostic nature to port it to multiple platforms with few changes to the source code. Luna can evade automated static code analysis attempts thanks to this cross-platform language. The Linux and ESXi samples use the same source code as the Windows sample, with only minor changes. This confirms the latest trend of cybergangs creating cross-platform ransomware that can target multiple operating systems with very few code changes. Given the group has just been discovered, there is very little data on what they are targeting so the situation is going to continue to be monitored.