Researchers have discovered a new ransomware strain targeting healthcare and technology companies across US and Europe with carefully chosen cyberattacks. The new variant dubbed Zeppelin is the newest addition to the Delphi-based Ransomware-as-a-Service (RaaS) family, commonly known as Vega or VegaLocker, which was first discovered in early 2019. Since then, new variants have been released under different names (Jamper, Storm, Buran, etc.), with some of them offered as a service on underground forums.
While Zeppelin is based on the same code and shares most of its features with its predecessors, unlike previous Vega campaigns that were aimed mostly on Russian-speaking users related to the financial sector, the newest variant is designed to stop running on machines based in Russia or other ex-USSR countries. To ensure it’s not operating in any of the forbidden countries, the malware will either check the configured language in Windows or the victim’s country code by obtaining the victim’s external IP address, according to a latest report from Blackberry Cylance.
The shift in targeting from Russian-speaking to Western countries, as well as the differences in selection of victims and malware’s distribution methods suggests that the Zeppelin variant has been acquired by different threat actors, which either used it as a service or redeveloped from bought/stolen/leaked sources.
“Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader,” researchers explained. “The samples are hosted on water-holed websites, and in the case of PowerShell, on Pastebin.”
Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants. All sensitive strings in the ransomware’s binaries are obfuscated with a different pseudo-random 32-byte RC4 key, prepended to each encryption string.
“The string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys. It also helps Zeppelin evade detection and complicates analysis,” the report continues.
If Zeppelin is running as an executable, the first instance of the ransomware will encrypt the files on the current logical drive and spawn a number of subsequent processes with the "-agent" parameter that are responsible for encrypting files on other drives and network shares. All paths to encrypt are stored under the HKCU\Software\Zeppelin\Paths registry key.
“Like its predecessors, Zeppelin allows attackers to track the IP addresses and location of victims via the IPLogger web service,” researchers explained. “If the relevant option is set, the ransomware will try to check-in by sending a GET request to a hardcoded URL that was generated by using the IPLogger URL Shortener service… Attackers can use the IPLogger web service to view a list of victims and use the shortened URL to redirect users to other malicious content”.
Once all files on the victim’s machine are encrypted, Zeppelin will drop a ransom note instructing the victim to contact the attacker via a provided email addresses and quote their personal ID number.
“Ransomware, once in decline, has experienced a resurgence due to the efforts of innovative threat actors. For example, the actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors. Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve,” the researchers concluded.