New Luna ransomware targets Windows, Linux and ESXi systems

25 July 2022

A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.

 

Discovered by security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.

According to the experts, who analyzed the command line options for the ransomware, Luna is fairly simple. The encryption scheme is unusual because it combines x25519 and AES.

The researchers noticed that the Windows version has minor changes compared with both the Linux and ESXi samples, which are compiled using the same source code.

The presence of spelling mistakes in the ransom note hardcoded in the binary of the ransomware suggests that the actors behind Luna ransomware are Russians. 

Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.” reads the report published by Kaspersky.

In the report, researcher also mentioned Black Basta ransomware which is a relatively new ransomware variant written in C++ which first came to light in February 2022. Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.

Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:

·         C:\Windows\SysNative\bcdedit /set safeboot networkChanges

·         C:\Windows\System32\bcdedit /set safeboot networkChanges

Detection & Response:

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (("Image" ilike '%\luna.exe' and ("Process CommandLine" ilike '%-file%' or "Process CommandLine" ilike '%-dir%' or "Process CommandLine" ilike '%lune.exe%')) or ("Image" ilike '%\cmd.exe' and ("Process CommandLine" ilike '%bcdedit%' or "Process CommandLine" ilike '%/set safeboot%' or "Process CommandLine" ilike '%networkChanges%')))

Splunk:

source="WinEventLog:*" AND ((Image="*\\luna.exe" AND (CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*")) OR (Image="*\\cmd.exe" AND (CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*")))

Elastic Query:

((process.executable:*\\luna.exe AND process.command_line:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process.executable:*\\cmd.exe AND process.command_line:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))

CarbonBlack:

((process_name:*\\luna.exe AND process_cmdline:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process_name:*\\cmd.exe AND process_cmdline:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))

Crowdstike:

((ImageFileName="*\\luna.exe" AND ((CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*") OR (CommandHistory="*-file*" OR CommandHistory="*-dir*" OR CommandHistory="*lune.exe*"))) OR (ImageFileName="*\\cmd.exe" AND ((CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*") OR (CommandHistory="*bcdedit*" OR CommandHistory="*/set safeboot*" OR CommandHistory="*networkChanges*"))))

Fireeye:

(metaclass:`windows` ((process:`*\luna.exe` args:[`-file`,`-dir`,`lune.exe`]) OR (process:`*\cmd.exe` args:[`bcdedit`,`/set safeboot`,`networkChanges`])))

Microsoft Defender:

DeviceProcessEvents | where ((FolderPath endswith @"\luna.exe" and (ProcessCommandLine contains "-file" or ProcessCommandLine contains "-dir" or ProcessCommandLine contains "lune.exe")) or (FolderPath endswith @"\cmd.exe" and (ProcessCommandLine contains "bcdedit" or ProcessCommandLine contains "/set safeboot" or ProcessCommandLine contains "networkChanges")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 4688 | where ((NewProcessName endswith @'\luna.exe' and (CommandLine contains '-file' or CommandLine contains '-dir' or CommandLine contains 'lune.exe')) or (NewProcessName endswith @'\cmd.exe' and (CommandLine contains 'bcdedit' or CommandLine contains '/set safeboot' or CommandLine contains 'networkChanges')))

RSA Netwitness:

(((Image contains 'luna.exe') && (CommandLine contains '-file', '-dir', 'lune\.exe')) || ((Image contains 'cmd.exe') && (CommandLine contains 'bcdedit', '/set safeboot', 'networkChanges')))

SumoLogic:

(_sourceCategory=*windows* AND (((Image="*\luna.exe" AND (CommandLine = "*-file*" OR CommandLine = "*-dir*" OR CommandLine = "*lune.exe*")) OR (Image="*\cmd.exe" AND (CommandLine = "*bcdedit*" OR CommandLine = "*/set safeboot*" OR CommandLine = "*networkChanges*")))))

Related News

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More

Proactive Ransomware Mitigation

15 Mar 2024

A ransomware attack has a direct impact on a business’s bottom line. Ransomware payments nearly doubled from 2022 to 2023 to $1.5 million14, and the average total cost of a data breach disclosed by the attacker has risen to $5.2 million15.

Read More