Tuesday, September 10, 2024
HomeComputer SecurityRaaS - Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The...

RaaS – Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The Sensitive Data

Published on

Zeppelin ransomware also known as Vega or VegaLocker or Buran, observed at the beginning of 2019 and it was distributed as part of the financial malware. The ransomware was distributed through spam campaigns, downloaders, software cracking tools, and fake updates.

The ransomware was compiled in Delphi and it is a new member of Ransomware-as-a-Service (RaaS) family, the binaries are signed with the valid code signing certificates.

Zeppelin Ransomware Infection

Researchers from Cylance observed a new targeted Zeppelin ransomware campaign that targets IT and healthcare companies in Europe and the U.S.

- Advertisement - EHA

The ransomware appears highly configurable, they can be deployed as EXE, DLL, or wrapped in a PowerShell loader and the executables have three layers of obfuscation.

Upon execution, the ransomware will check for the country code and the default language of the infected machine, if the infected user machine in one the following countries such as Russian Federation, Ukraine, Belorussia and Kazakhstan then it terminates the infection process.

Zeppelin Ransomware includes following functions

Zeppelin Ransomware
Ransomware Functions

On the infected machine, it creates an empty file with the “.zeppelin” extension in the %TEMP% directory and then copies itself to the %APPDATA% folder and it ensures persistence by setting up key in the registry.

“The Zeppelin binaries are obfuscated with a different pseudo-random 32-byte RC4 key added to each string, the string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys.”

Researchers observed that the “encryption algorithm has not changed substantially compared to previous versions of Buran.” For symmetric file encryption, it uses AES-256 in CBC mode and to protect the session keys it uses custom RSA implementation.

The ransomware uses to encrypt files present in all the drives except system files and network shares. Once the files encrypted it adds a random extension (“.126-D7C-E67”) to the encrypted files.

Zeppelin Ransomware
Ransom Note

After encrypting all the files in the drive Zeppelin drops a ransom note text file, which asks users to purchase a unique private key to unlock the files.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Chinese Hackers Using Open Source Tools To Launch Cyber Attacks

Three Chinese state-backed threat groups, APT10, GALLIUM, and Stately Taurus, have repeatedly employed a...

Small Business, Big Threats: INE Security Launches Initiative to Train SMBs to Close a Critical Skills Gap

As cyber threats grow, small to medium-sized businesses (SMBs) are disproportionately targeted. According to...

Researchers Details Attacks On Air-Gaps Computers To Steal Data

The air-gap data protection method isolates local networks from the internet to mitigate cyber...

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

High School in London Forced to Sends Students Home Following Ransomware Attack

Charles Darwin School in Biggin Hill, London, has been forced to close its doors...

Akira Ransomware Actively Exploiting SonicWall firewall RCE Vulnerability

SonicWall disclosed a critical remote code execution vulnerability (CVE-2024-40766) in SonicOS on August 22nd,...

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its...