By turning to platform-agnostic programming languages, threat groups are able to simultaneously infiltrate more systems and virtual machines in a single attack

A new ransomware group that targets multiple operating systems has been found in the wild, according to a crimeware report.

Dubbed Luna, the group employs a programming language that allows them to easily port malware from one platform to another—such as Windows, Linux and ESXi systems—all at once.

According to one of the group’s advertisements on the Dark Web, they only work with Russian-speaking affiliates. Moreover, a ransom note hardcoded into one of the group’s binaries contains some spelling mistakes that suggest the group is Russian-speaking.  

Luna underlines the recent trend for cross-platform ransomware, with languages like Go and Rust being heavily implemented by ransomware gangs in the past year. A notable example includes BlackCat and Hive, the latter using both Go and Rust. These languages are platform independent, so the ransomware written using them can be easily ported from one platform to another. The attacks can then be aimed at multiple operating systems at the same time.

According to Jornt van der Wiel, a security expert at Kaspersky, the firm that released the report: “We see more and more gangs using cross-platform languages for writing their ransomware. This enables them to deploy their malware on a variety of operating systems. The increased attacks on ESXi virtual machines is alarming and we expect more and more ransomware families to deploy the same strategy.”

ESXi is a an enterprise-class hypervisor that can be used independently on any operating system. Since many enterprises have migrated to virtual machines based on ESXi, attackers have found it easier to encrypt victims’ data. Another new ransomware variant that attacks ESXi is Black Basta, which was first detected in February this year. Since then the malware, written in C++, has managed to attack more than 40 victims, mainly in the United States, Europe and Asia.