Saturday, March 30, 2024

RaaS – Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The Sensitive Data

Zeppelin ransomware also known as Vega or VegaLocker or Buran, observed at the beginning of 2019 and it was distributed as part of the financial malware. The ransomware was distributed through spam campaigns, downloaders, software cracking tools, and fake updates.

The ransomware was compiled in Delphi and it is a new member of Ransomware-as-a-Service (RaaS) family, the binaries are signed with the valid code signing certificates.

Zeppelin Ransomware Infection

Researchers from Cylance observed a new targeted Zeppelin ransomware campaign that targets IT and healthcare companies in Europe and the U.S.

The ransomware appears highly configurable, they can be deployed as EXE, DLL, or wrapped in a PowerShell loader and the executables have three layers of obfuscation.

Upon execution, the ransomware will check for the country code and the default language of the infected machine, if the infected user machine in one the following countries such as Russian Federation, Ukraine, Belorussia and Kazakhstan then it terminates the infection process.

Zeppelin Ransomware includes following functions

Zeppelin Ransomware
Ransomware Functions

On the infected machine, it creates an empty file with the “.zeppelin” extension in the %TEMP% directory and then copies itself to the %APPDATA% folder and it ensures persistence by setting up key in the registry.

“The Zeppelin binaries are obfuscated with a different pseudo-random 32-byte RC4 key added to each string, the string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys.”

Researchers observed that the “encryption algorithm has not changed substantially compared to previous versions of Buran.” For symmetric file encryption, it uses AES-256 in CBC mode and to protect the session keys it uses custom RSA implementation.

The ransomware uses to encrypt files present in all the drives except system files and network shares. Once the files encrypted it adds a random extension (“.126-D7C-E67”) to the encrypted files.

Zeppelin Ransomware
Ransom Note

After encrypting all the files in the drive Zeppelin drops a ransom note text file, which asks users to purchase a unique private key to unlock the files.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles