Skip to main content

Tech and Health Companies Targeted by New Zeppelin Ransomware

Zeppelin Ransomware

A new variant of Vega ransomware family, dubbed Zeppelin, has recently been spotted in the wild targeting technology and healthcare companies across Europe, the United States, and Canada.

However, if you reside in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, breathe a sigh of relief, as the ransomware terminates its operations if found itself on machines located in these regions.

It's notable and interesting because all previous variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users, which indicates Zeppelin is not the work of the same hacking group behind the previous attacks.

Since Vega ransomware and its previous variants were offered as a service on underground forums, researchers at BlackBerry Cylance believes either Zeppelin "ended up in the hands of different threat actors" or "redeveloped from bought/stolen/leaked sources."

According to a report BlackBerry Cylance shared with The Hacker News, Zeppelin is a Delphi-based highly-configurable ransomware that can easily be customized to enable or disable various features, depending upon victims or requirements of attackers.

Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:

  • IP Logger — to track the IP addresses and location of victims
  • Startup — to gain persistence
  • Delete backups — to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
  • Task-killer — kill attacker-specified processes
  • Auto-unlock — to unlock files that appear locked during encryption
  • Melt — to inject self-deletion thread to notepad.exe
  • UAC prompt — try running the ransomware with elevated privileges

Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.

Zeppelin Ransomware

"[Zeppelin] employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house)," the researchers explain.

"Interestingly, some of the samples will encrypt only the first 0x1000 bytes (4KB), instead of 0x10000 (65KB). It might be either an unintended bug or a conscious choice to speed up the encryption process while rendering most files unusable anyway."

Besides what features to be enabled and what files to be encrypted, the Zeppelin builder also allows attackers to configure the content of the ransom note text file, which it drops on the system and displays to the victim after encrypting the files.

"BlackBerry Cylance researchers have uncovered several different versions, ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations," the researchers say.

"All the messages instruct the victim to contact the attacker via a provided email addresses and quote their personal ID number."

To evade detection, Zeppelin ransomware relies on multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, using code of varying sizes, as well as delays in execution to outrun sandboxes and deceive heuristic mechanisms.

Zeppelin was first discovered almost a month ago when it was distributed through water-holed websites with its PowerShell payloads hosted on the Pastebin website.

Researchers believe that at least some of the Zeppelin attacks were "conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used ransomware called Sodinokibi," also known as Sodin or REvil.

The researchers have also shared indicators of compromise (IoC) in its blog post. At the time of writing, almost 30 percent of antivirus solutions are not able to detect this particular ransomware threat.

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...