Researchers have discovered a newly introduced ransomware called Zeppelin of Russian origin, targeting healthcare and technology companies across Europe, the United States of America and Canada. Zeppelin is highly configurable, and according to the report, it can be launched as EXE. Or DLL files or bundled into a PowerShell loader.
This ransomware is about a month old but has managed to spread like a wildfire staging selected attacks on companies. Josh Lemos, VP of research and intelligence at BlackBerry Cylance told reporters that there seem to be a limited number of victims. According to him, hackers seem to be very selective when it comes to their targets, as it has not been used for any widespread distribution campaign.
Image Source: www.trendmicro.com
The ransomware was compiled in November 2019 according to the analysis on the code, and it appears to be based on a network encrypting malware called VegaLocker. Though it belongs to the same family of VegaLocker, Zeppelin is more upgraded and built to function a bit different from the former, making the researcher classify it as new ransomware.
The researchers revealed that Zeppelin will operate regardless of its mode of delivery, and start its Installation by creating a temporal folder called “Zeppelin”, before spreading in the target computer. It has been researched that Zeppelin is spread in Supply Chain Attacks through Managed Security Service Providers (MSSPs) similar to the Sodinokidlbi ransomware. Also, the spread of the ransomware is done through a waterhole attack and malvertising operation created to send the malicious payload to the target. After the ransomware has made its way into the computer system, it encrypts files.
It does this by using the private key to differentiate the victim from the target of other attacks. Since this is mostly a selected attack, hackers can be certain of attacking the right victim through the monitoring of their IP addresses.
The ransomware is well designed and has been instructed to leave the victim with a text file containing a ransom note after it has finished encrypting the file. The ransom notes have been made to range from short generic to a tailored note meant for targeted organizations. The amount each targeted organization is supposed to pay as ransom depends on the individual organizations. Regardless of the size of the affected organization, the ransom is ordered to be paid in Bitcoin.
Image Source: www.bleepingcomputer.com
It was reported that the ransomware is offered as-a-service on the dark web with cybercriminals obtaining them from vendors with the right to modify it to their need. Researchers realized that the ransomware possibly originated from Russia since it first checks the country code of victims to ensure the machine is not being run in Russia, Ukraine, Kazakhstan, or Belarus in first execution. It was said that the ransomware will not operate when the IP address of the victim matches any of the listed countries. This is different from the VegaLocker which has no problem to infect Russian based devices.
It is sad to announce that there is currently no free decryption tool to tackle this new ransomware. However, individuals and organizations can prevent the attack of the Zeppelin by paying attention to basic cybersecurity principles. In order to avoid being infected by this ransomware, maintain an up to date operating system, conduct a frequent backup and ensure that it is disconnected from the network, be vigilant and stay cautious, and educate your workers on security guidelines according to Lemos.
Lenos has stated that the campaign has not fully started yet. According to him, all recorded incidents were some kind of test run on a few victims.
ransomware is introduced every day, and more advanced ones are designed to match the powerful cybersecurity tools, calling the need for individuals and corporate bodies to avoid being victims by taking advantage of the basic cybersecurity guidelines.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.