Cybercriminals have spun off a ransomware that was originally known to target Russian organizations into a new malicious encryptor used in targeted campaigns against strategically selected health care and IT companies in America and Europe.
Dubbed Zeppelin, the new ransomware is a descendant of VegaLocker, a Delphi-based Ransomware-as-a-Service (RaaS) offering that was discovered in early 2019 and quickly evolved into variants such as Jamper and Buran. While this family of ransomware was notably observed in a malvertising campaign targeting Russian-speaking accountants, the new Zeppelin strain has clearly pursued an entirely different agenda, and furthermore is "visibly distinct" from its predecessors, according to blog post published yesterday by the Cylance Threat Research Team.
Cylance, a division of BlackBerry, theorizes that Zeppelin is being deployed by a different group of threat actors than those who operated any of the earlier VegaLocker variants. The new actors could be cybercriminal affiliates who entered into an RaaS arrangement with Zeppelin's true owners, or if they somehow obtained VegaLocker's or Buran's source code they could have perhaps redeveloped it themselves into the latest iteration.
Either way, Cylance says the Zeppelin actors appear to have "carefully chosen" their targeted organizations in a campaign that dates back to at least Nov. 6, 2019, based on the timestamps of the ransomware's earliest known samples. Samples were found hosted on compromised websites as well as on Pastebin. Furthermore, "There are reasons to believe at least some of the attacks were conducted through MSSPs [Managed Security Service Provider]," the blog post continues.
Cylance notes that Zeppelin is highly configurable and protected with obfuscation, and is deployed as an EXE or DLL file or arrives wrapped in a PowerShell loader. "The encryption algorithm has not changed substantially compared to previous versions of Buran," Cylance explains. "It employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house)."
After encrypting files on the victim's drives and network shares, Zeppelin uses Notepad to display a ransom message in the form of a text file. Its content varies from target to target, "ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations," Cylance reports. However, all versions of the note tell the victim to contact a secured email address and provide their victim IP number.
The ransomware can also track a victim's IP address and country code using the IP Logger web service, delete backups and shadow copies, attempt to elevate privileges and copy itself to other locations. Zeppelin uses a machine's IP address or its default language and country calling code to avoid executing on any machine based in Russia, Ukraine, Belarus or Kazakhstan. The avoidance of former Soviet countries is a tactic that was first seen in later Buran samples, Cylance notes.
"Ransomware, once in decline, has experienced a resurgence due to the efforts of innovative threat actors. For example, the actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors," Cylance's blog post concludes. "Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve."
