New Luna ransomware targets Windows, Linux and ESXi systems

25 July 2022

A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.

 

Discovered by security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.

According to the experts, who analyzed the command line options for the ransomware, Luna is fairly simple. The encryption scheme is unusual because it combines x25519 and AES.

The researchers noticed that the Windows version has minor changes compared with both the Linux and ESXi samples, which are compiled using the same source code.

The presence of spelling mistakes in the ransom note hardcoded in the binary of the ransomware suggests that the actors behind Luna ransomware are Russians. 

Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.” reads the report published by Kaspersky.

In the report, researcher also mentioned Black Basta ransomware which is a relatively new ransomware variant written in C++ which first came to light in February 2022. Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.

Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:

·         C:\Windows\SysNative\bcdedit /set safeboot networkChanges

·         C:\Windows\System32\bcdedit /set safeboot networkChanges

Detection & Response:

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (("Image" ilike '%\luna.exe' and ("Process CommandLine" ilike '%-file%' or "Process CommandLine" ilike '%-dir%' or "Process CommandLine" ilike '%lune.exe%')) or ("Image" ilike '%\cmd.exe' and ("Process CommandLine" ilike '%bcdedit%' or "Process CommandLine" ilike '%/set safeboot%' or "Process CommandLine" ilike '%networkChanges%')))

Splunk:

source="WinEventLog:*" AND ((Image="*\\luna.exe" AND (CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*")) OR (Image="*\\cmd.exe" AND (CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*")))

Elastic Query:

((process.executable:*\\luna.exe AND process.command_line:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process.executable:*\\cmd.exe AND process.command_line:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))

CarbonBlack:

((process_name:*\\luna.exe AND process_cmdline:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process_name:*\\cmd.exe AND process_cmdline:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))

Crowdstike:

((ImageFileName="*\\luna.exe" AND ((CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*") OR (CommandHistory="*-file*" OR CommandHistory="*-dir*" OR CommandHistory="*lune.exe*"))) OR (ImageFileName="*\\cmd.exe" AND ((CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*") OR (CommandHistory="*bcdedit*" OR CommandHistory="*/set safeboot*" OR CommandHistory="*networkChanges*"))))

Fireeye:

(metaclass:`windows` ((process:`*\luna.exe` args:[`-file`,`-dir`,`lune.exe`]) OR (process:`*\cmd.exe` args:[`bcdedit`,`/set safeboot`,`networkChanges`])))

Microsoft Defender:

DeviceProcessEvents | where ((FolderPath endswith @"\luna.exe" and (ProcessCommandLine contains "-file" or ProcessCommandLine contains "-dir" or ProcessCommandLine contains "lune.exe")) or (FolderPath endswith @"\cmd.exe" and (ProcessCommandLine contains "bcdedit" or ProcessCommandLine contains "/set safeboot" or ProcessCommandLine contains "networkChanges")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 4688 | where ((NewProcessName endswith @'\luna.exe' and (CommandLine contains '-file' or CommandLine contains '-dir' or CommandLine contains 'lune.exe')) or (NewProcessName endswith @'\cmd.exe' and (CommandLine contains 'bcdedit' or CommandLine contains '/set safeboot' or CommandLine contains 'networkChanges')))

RSA Netwitness:

(((Image contains 'luna.exe') && (CommandLine contains '-file', '-dir', 'lune\.exe')) || ((Image contains 'cmd.exe') && (CommandLine contains 'bcdedit', '/set safeboot', 'networkChanges')))

SumoLogic:

(_sourceCategory=*windows* AND (((Image="*\luna.exe" AND (CommandLine = "*-file*" OR CommandLine = "*-dir*" OR CommandLine = "*lune.exe*")) OR (Image="*\cmd.exe" AND (CommandLine = "*bcdedit*" OR CommandLine = "*/set safeboot*" OR CommandLine = "*networkChanges*")))))

Related News

The Benefits of Building a Mature and Diverse Blue Team

15 Aug 2022

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of blue team.

Read More

Hackers scan for vulnerabilities within 15 minutes of disclosure

08 Aug 2022

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

Read More

QBot phishing uses Windows Calculator sideloading to infect devices

01 Aug 2022

The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

Read More