In our crimeware reporting service, we analyze the latest crime-related trends we come across. If we look back at what we covered last month, we will see that ransomware (surprise, surprise!) definitely stands out. In this blog post, we provide several excerpts from last month’s reports on new ransomware strains.
Luna: brand-new ransomware written in Rust
Last month, our Darknet Threat Intelligence active monitoring system notified us of a new advertisement on a darknet ransomware forum.
As one can see from the advertisement, the malware is written in Rust and runs on Windows, Linux and ESXi systems. Armed with this knowledge, we went hunting for samples, finding a few via the Kaspersky Security Network (KSN).
Judging by the command line options available, Luna is fairly simple. The encryption scheme it uses, however, is not so typical, as it involves x25519 and AES, a combination not often encountered in ransomware schemes.
Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used. The rest of the code has no significant changes from the Windows version.
The advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded inside the binary contains spelling mistakes. For example, it says “a little team” instead of “a small team”. Because of this, we assume with medium confidence that the actors behind Luna are speakers of Russian. Since Luna is a freshly discovered group, there is still little data on its victimology, but we at Kaspersky are following Luna’s activity.
Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.
Black Basta is a relatively new ransomware variant written in C++ which first came to light in February 2022. The malware, the infrastructure and the campaign were still in development mode at the time. For example, the victim blog was not online yet, but the Black Basta website was already available to victims.
Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.
Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.
The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:
- C:\Windows\SysNative\bcdedit /set safeboot networkChanges
- C:\Windows\System32\bcdedit /set safeboot networkChanges
Earlier versions of Black Basta contained a different rescue note from the one currently used, which showed similarities to the ransom note used by Conti. This is not as odd as it may seem, because Black Basta was still in development mode at the time.
To ascertain that there was indeed no code overlap between Conti and the earlier versions of Black Basta, we fed a few samples to the Kaspersky Threat Attribution Engine (KTAE). Indeed, as shown below, only the strings overlap. There is thus no overlap in code per sec.