Zeppelin Ransomware

Zeppelin ransomware also known as Vega or VegaLocker or Buran, observed at the beginning of 2019 and it was distributed as part of the financial malware. The ransomware was distributed through spam campaigns, downloaders, software cracking tools, and fake updates.

The ransomware was compiled in Delphi and it is a new member of Ransomware-as-a-Service (RaaS) family, the binaries are signed with the valid code signing certificates.

Zeppelin Ransomware Infection

Researchers from Cylance observed a new targeted Zeppelin ransomware campaign that targets IT and healthcare companies in Europe and the U.S.

The ransomware appears highly configurable, they can be deployed as EXE, DLL, or wrapped in a PowerShell loader and the executables have three layers of obfuscation.

Upon execution, the ransomware will check for the country code and the default language of the infected machine, if the infected user machine in one the following countries such as Russian Federation, Ukraine, Belorussia and Kazakhstan then it terminates the infection process.

Zeppelin Ransomware includes following functions

Zeppelin Ransomware
Ransomware Functions

On the infected machine, it creates an empty file with the “.zeppelin” extension in the %TEMP% directory and then copies itself to the %APPDATA% folder and it ensures persistence by setting up key in the registry.

“The Zeppelin binaries are obfuscated with a different pseudo-random 32-byte RC4 key added to each string, the string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys.”

Researchers observed that the “encryption algorithm has not changed substantially compared to previous versions of Buran.” For symmetric file encryption, it uses AES-256 in CBC mode and to protect the session keys it uses custom RSA implementation.

The ransomware uses to encrypt files present in all the drives except system files and network shares. Once the files encrypted it adds a random extension (“.126-D7C-E67”) to the encrypted files.

Zeppelin Ransomware
Ransom Note

After encrypting all the files in the drive Zeppelin drops a ransom note text file, which asks users to purchase a unique private key to unlock the files.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Leave a Reply