Threat Management, Malware, Ransomware

Dread Zeppelin: Ransomware targets health care and IT sectors in U.S., Europe

Cybercriminals have spun off a ransomware that was originally known to target Russian organizations into a new malicious encryptor used in targeted campaigns against strategically selected health care and IT companies in America and Europe.

Dubbed Zeppelin, the new ransomware is a descendant of VegaLocker, a Delphi-based Ransomware-as-a-Service (RaaS) offering that was discovered in early 2019 and quickly evolved into variants such as Jamper and Buran. While this family of ransomware was notably observed in a malvertising campaign targeting Russian-speaking accountants, the new Zeppelin strain has clearly pursued an entirely different agenda, and furthermore is "visibly distinct" from its predecessors, according to blog post published yesterday by the Cylance Threat Research Team.

Cylance, a division of BlackBerry, theorizes that Zeppelin is being deployed by a different group of threat actors than those who operated any of the earlier VegaLocker variants. The new actors could be cybercriminal affiliates who entered into an RaaS arrangement with Zeppelin's true owners, or if they somehow obtained VegaLocker's or Buran's source code they could have perhaps redeveloped it themselves into the latest iteration.

Either way, Cylance says the Zeppelin actors appear to have "carefully chosen" their targeted organizations in a campaign that dates back to at least Nov. 6, 2019, based on the timestamps of the ransomware's earliest known samples. Samples were found hosted on compromised websites as well as on Pastebin. Furthermore, "There are reasons to believe at least some of the attacks were conducted through MSSPs [Managed Security Service Provider]," the blog post continues.

Cylance notes that Zeppelin is highly configurable and protected with obfuscation, and is deployed as an EXE or DLL file or arrives wrapped in a PowerShell loader. "The encryption algorithm has not changed substantially compared to previous versions of Buran," Cylance explains. "It employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house)."

After encrypting files on the victim's drives and network shares, Zeppelin uses Notepad to display a ransom message in the form of a text file. Its content varies from target to target, "ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations," Cylance reports. However, all versions of the note tell the victim to contact a secured email address and provide their victim IP number.

The ransomware can also track a victim's IP address and country code using the IP Logger web service, delete backups and shadow copies, attempt to elevate privileges and copy itself to other locations. Zeppelin uses a machine's IP address or its default language and country calling code to avoid executing on any machine based in Russia, Ukraine, Belarus or Kazakhstan. The avoidance of former Soviet countries is a tactic that was first seen in later Buran samples, Cylance notes.

"Ransomware, once in decline, has experienced a resurgence due to the efforts of innovative threat actors. For example, the actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors," Cylance's blog post concludes. "Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve."

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds