RaaS – Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The Sensitive Data

Zeppelin ransomware also known as Vega or VegaLocker or Buran, observed at the beginning of 2019 and it was distributed as part of the financial malware. The ransomware was distributed through spam campaigns, downloaders, software cracking tools, and fake updates.

The ransomware was compiled in Delphi and it is a new member of Ransomware-as-a-Service (RaaS) family, the binaries are signed with the valid code signing certificates.

Zeppelin Ransomware Infection

Researchers from Cylance observed a new targeted Zeppelin ransomware campaign that targets IT and healthcare companies in Europe and the U.S.

The ransomware appears highly configurable, they can be deployed as EXE, DLL, or wrapped in a PowerShell loader and the executables have three layers of obfuscation.

Upon execution, the ransomware will check for the country code and the default language of the infected machine, if the infected user machine in one the following countries such as Russian Federation, Ukraine, Belorussia and Kazakhstan then it terminates the infection process.

Zeppelin Ransomware includes following functions

Ransomware Functions

On the infected machine, it creates an empty file with the “.zeppelin” extension in the %TEMP% directory and then copies itself to the %APPDATA% folder and it ensures persistence by setting up key in the registry.

“The Zeppelin binaries are obfuscated with a different pseudo-random 32-byte RC4 key added to each string, the string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys.”

Researchers observed that the “encryption algorithm has not changed substantially compared to previous versions of Buran.” For symmetric file encryption, it uses AES-256 in CBC mode and to protect the session keys it uses custom RSA implementation.

The ransomware uses to encrypt files present in all the drives except system files and network shares. Once the files encrypted it adds a random extension (“.126-D7C-E67”) to the encrypted files.

Ransom Note

After encrypting all the files in the drive Zeppelin drops a ransom note text file, which asks users to purchase a unique private key to unlock the files.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

2 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

2 days ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

2 days ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

2 days ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

2 days ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

2 days ago