Dive Brief:
- Kaspersky researchers discovered a new ransomware family written in the Rust programming language on a darknet ransomware forum.
- Luna uses an atypical encryption scheme, a combination of the x25519 key exchange and the advanced encryption standard, that isn’t often encountered in ransomware, according to the research, released Tuesday. It can run on Windows, Linux and ESXi systems with minor variations in the code, according to Kaspersky.
- The ransomware only works with Russian-speaking affiliates and potential victims have yet to be observed by Kaspersky, which is also based in Russia.
Dive Insight:
Luna’s use of Rust is notable because it indicates growing interest in a programming language that’s more difficult to master and harder for security companies and competing ransomware groups to reverse engineer.
The programming language is less commonly used for ransomware, but that’s changing.
The group behind Hive ransomware earlier this month overhauled and migrated its code to Rust to use a more complex encryption method and gain deeper control. BlackCat ransomware is also written in Rust.
“Luna confirms the trend for cross-platform ransomware,” Kaspersky researchers wrote in the report. By using a platform-agnostic code such as Rust, threat actors can easily port ransomware to other platforms and initiate attacks against different operating systems concurrently.
Rust also provides ransomware payloads with deep control over low-level resources, and it’s especially effective at processing large amounts of data, Michela Menting, research director at ABI Research, said following Hive’s migration to the language.