The new ransomware dubbed Luna can be used to encrypt devices running multiple operating systems, including Windows, Linux, and ESXi.
Discovered by Kaspersky security researchers via a dark web ransomware forum ad, Luna appears to be specifically designed for use only by Russian-speaking threat actors.
Encryption is a technical process that converts information into a secret code, thereby obscuring the data sent, received and stored.
As the name implies, Ransomware is malware that will take the victim's data hostage by encrypting important data.
"The ad states that Luna only works with Russian-speaking affiliates. Also, the ransom note encoded in the binary contains spelling errors. For example, it says 'a little team' instead of 'a small team'," Kaspersky said as quoted by BleepingComputer, Friday (22/7/2022).
"Therefore, we assume with confidence that the actors behind Luna are Russian speakers," Kaspersky continued.
Luna (month in Russian) is a simple ransomware still in development and with limited capabilities based on the available command line options.
However, it uses an unconventional encryption scheme, combining the fast and secure X25519 elliptical curve, the Diffie-Hellman key exchange using Curve25519, with the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Cross Platform Ransomware
The group behind this new ransomware developed a new strain of the Rust programming language and leveraged its platform-agnostic nature to move it across multiple platforms with very few changes to the source code.
Using a cross-platform language also allows the Luna ransomware to avoid automated static code analysis attempts.
"Both the Linux and ESXi samples were compiled using the same source code with some minor changes from the Windows version. The rest of the code has no significant changes from the Windows version," the Kaspersky researchers added.
Luna was further confirmed to be adopted by a cybercrime group that develops cross-platform ransomware using languages such as Rust and Golang to create malware capable of targeting multiple operating systems with little or no changes.
Kaspersky revealed that there is still little data about victims who have been encrypted using the Luna ransomware. The group was recently discovered and its activities are still being monitored.
Other new ransomware families that BleepingComputer reported this month include Lilith, a C/C++ console-based ransomware that targets 64-bit Windows devices.
Also 0mega, a new ransomware operation that has targeted companies since May and is demanding a multimillion-dollar ransom.
Both are said to be stealing data from victims' networks before encrypting their systems to support attacks and extortion.
Microsoft dissects North Korean hackers who spread Holy Ghost Ransomware Attacking Small Businesses
On the other hand, Microsoft attributed the spread of the Holy Ghost ransomware to a North Korean hacker group (North Korea). They are known to have run the ransomware operation to attack small businesses in various countries.
The group has been active for quite some time, but failed to gain fame and financial success. Researchers at the Microsoft Threat Intelligence Center (MSTIC) tracked down the Holy Ghost ransomware gang as DEV-0530.
In a previous report, they said that the first payload of this threat actor was seen last year in June 2021. According to the Bleeping Computer report, quoted Tuesday (19/7/2022).
Classified as SiennaPurple (BTLC_C.exe), the initial Holy Ghost ransomware variant lacks many features compared to the next Go-based version that appears in October 2021.
Microsoft tracks the newer variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) and notes that its functionality has expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support.
The researchers said the DEV-0530 was successful in compromising several targets, particularly small to medium-sized businesses. The victims are banks, schools, manufacturing organizations, as well as event and meeting planning companies.
The Holy Ghost actor follows a typical ransomware attack pattern and steals data before applying encryption to infected systems.
The attackers leave a ransom note on the compromised machine and they also email the victim with a link to the sample of the stolen data to announce that they are willing to negotiate a ransom in exchange for the decryption key.
Typically, the perpetrators demand payments of between 1.2 and 5 bitcoins, or up to around $100,000 at the current exchange rate.
"Even if the demand is not large, attackers are willing to negotiate and sometimes lower the price to less than a third of the original request," the Microsoft Threat Intelligence Center said.
Was the North Korean Government Involved?
The infrequent attack rate and random selection of victims reinforce the theory that the Holy Ghost ransomware operation may not be controlled by the North Korean government.
In contrast, hackers working for the Pyongyang regime may be doing this themselves, for personal financial gain.
Connections to a state-backed hacking group are possible, as MSTIC discovered communications between an email account belonging to Holy Ghost and Andariel, a threat actor part of the Lazarus Group under North Korea's General Bureau of Reconnaissance.
"The relationship between the two groups was made stronger by the fact that they both operated from the same infrastructure set, and even used a dedicated malware controller with a similar name," the researchers said.
To note, Holy Ghost website is down at the moment but attackers are using little visibility to pretend to be an official entity, which is trying to help victims increase their security power.
Furthermore, they motivate their actions as an attempt to 'close the gap between the rich and the poor'. Also to help the poor and the hungry.
Like other actors in the ransomware business, Holy Ghost assures victims that they will not sell or leak the stolen data if they are paid.
The Microsoft report includes a set of recommended actions to prevent infection with Holy Ghost payloads as well as some indicators of compromise found while investigating malware.