Security researchers stated that cybercriminals have created a new ransomware variant titled “Zeppelin” to target healthcare and IT companies in the U.S., Canada, and Europe. It’s said that Zeppelin ransomware is reportedly a new variant of the VegaLocker/Buran ransomware.
Background of the Ransomware
According to the BlackBerry Cylance Threat Research team, Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family based on the same code and features with its predecessors VegaLocker.
Beginning its journey as VegaLocker, the ransomware was developed on Russian hacker forums under the name Buran, in May 2019. VegaLocker samples were first discovered in a malvertising operation on Yandex.Direct, a Russian online advertising network.
The campaign was aimed at Russian speaking users. Several new versions of VegaLocker ransomware appeared during this year, carrying a different name: Jamper, Storm, and Buran, etc. The latest variant of this ransomware is Zeppelin.
Zeppelin Ransomware
BlackBerry Cylance research team stated that Zeppelin was being used in targeted attacks against healthcare and other IT companies in the U.S., Canada, and Europe. The researchers also said the ransomware also targeted Managed Service Providers (MSPs) to infect customers via management software.
Researchers believed that threat actors have dropped the ransomware through Remote Desktop servers that are online.
“The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin–with compilation timestamps no earlier than November 6, 2019–were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S.,” researchers said.
Injection Process
Once installed, Zeppelin will check the victim’s country code to make sure it’s not running in countries like the Russian Federation, Ukraine, Belorussia, and Kazakhstan.
Depending on the options set during the building process, it will either check the machine’s default language and default country calling code or use an online service to obtain the victim’s external IP address.
The ransomware then starts terminating various processes including ones associated with the database, backup, and mail servers.
While encrypting files, Zeppelin creates ransom notes as “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT — You are not able to decrypt it by yourself! The only method of recovering files is to purchase a unique private key. Only we can give you this key and only we can recover your files.”
The notes contain other information about what happened to the victim’s files, and how they could contact hackers for payment methods.