New Luna ransomware targets Windows, Linux and ESXi systems


A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.

Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.

According to the experts, who analyzed the command line options for the ransomware, Luna is fairly simple. The encryption scheme is unusual because it combines x25519 and AES.

The researchers noticed that the Windows version has minor changes compared with both the Linux and ESXi samples, which are compiled using the same source code.

The presence of spelling mistakes in the ransom note hardcoded in the binary of the ransomware suggests that the actors behind Luna ransomware are Russians. 

“Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.” reads the report published by Kaspersky.

In the report, Kaspersky also mentioned Black Basta ransomware which is a relatively new ransomware variant written in C++ which first came to light in February 2022. Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:

  • C:\Windows\SysNative\bcdedit /set safeboot networkChanges
  • C:\Windows\System32\bcdedit /set safeboot networkChanges

Detection & Response:


SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (("Image" ilike '%\luna.exe' and ("Process CommandLine" ilike '%-file%' or "Process CommandLine" ilike '%-dir%' or "Process CommandLine" ilike '%lune.exe%')) or ("Image" ilike '%\cmd.exe' and ("Process CommandLine" ilike '%bcdedit%' or "Process CommandLine" ilike '%/set safeboot%' or "Process CommandLine" ilike '%networkChanges%')))


source="WinEventLog:*" AND ((Image="*\\luna.exe" AND (CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*")) OR (Image="*\\cmd.exe" AND (CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*")))

Elastic Query:

((process.executable:*\\luna.exe AND process.command_line:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process.executable:*\\cmd.exe AND process.command_line:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))


((process_name:*\\luna.exe AND process_cmdline:(*\-file* OR *\-dir* OR *lune.exe*)) OR (process_name:*\\cmd.exe AND process_cmdline:(*bcdedit* OR *\/set\ safeboot* OR *networkChanges*)))


((ImageFileName="*\\luna.exe" AND ((CommandLine="*-file*" OR CommandLine="*-dir*" OR CommandLine="*lune.exe*") OR (CommandHistory="*-file*" OR CommandHistory="*-dir*" OR CommandHistory="*lune.exe*"))) OR (ImageFileName="*\\cmd.exe" AND ((CommandLine="*bcdedit*" OR CommandLine="*/set safeboot*" OR CommandLine="*networkChanges*") OR (CommandHistory="*bcdedit*" OR CommandHistory="*/set safeboot*" OR CommandHistory="*networkChanges*"))))


(metaclass:`windows` ((process:`*\luna.exe` args:[`-file`,`-dir`,`lune.exe`]) OR (process:`*\cmd.exe` args:[`bcdedit`,`/set safeboot`,`networkChanges`])))

Microsoft Defender:

DeviceProcessEvents | where ((FolderPath endswith @"\luna.exe" and (ProcessCommandLine contains "-file" or ProcessCommandLine contains "-dir" or ProcessCommandLine contains "lune.exe")) or (FolderPath endswith @"\cmd.exe" and (ProcessCommandLine contains "bcdedit" or ProcessCommandLine contains "/set safeboot" or ProcessCommandLine contains "networkChanges")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 4688 | where ((NewProcessName endswith @'\luna.exe' and (CommandLine contains '-file' or CommandLine contains '-dir' or CommandLine contains 'lune.exe')) or (NewProcessName endswith @'\cmd.exe' and (CommandLine contains 'bcdedit' or CommandLine contains '/set safeboot' or CommandLine contains 'networkChanges')))

RSA Netwitness:

(((Image contains 'luna.exe') && (CommandLine contains '-file', '-dir', 'lune\.exe')) || ((Image contains 'cmd.exe') && (CommandLine contains 'bcdedit', '/set safeboot', 'networkChanges')))


(_sourceCategory=*windows* AND (((Image="*\luna.exe" AND (CommandLine = "*-file*" OR CommandLine = "*-dir*" OR CommandLine = "*lune.exe*")) OR (Image="*\cmd.exe" AND (CommandLine = "*bcdedit*" OR CommandLine = "*/set safeboot*" OR CommandLine = "*networkChanges*")))))

Source/Credits: hs://

Luna and Black Basta — new ransomware for Windows, Linux and ESXi

Previous articleRussia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response
Next articleCVE-2022-33891- Apache Spark Shell Command Injection – Detection & Response
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here