After a period of relative inactivity that began last Fall, the creators of Zeppelin ransomware have restarted their activity and begun to advertise new variants of the malware.
At the end of last month, a new variation of the ransomware was made public on a hacker forum, giving threat actors in the ransomware industry unlimited autonomy.
After a brief hiatus, the Zeppelin ransomware also known as Buran suspected to be a variation of the Vega/VegaLocker family, a Delphi-based Ransomware-as-a-Service (RaaS), has resurfaced. The first sighting of Zeppelin was in November 2019, on Russian-language hacker forums, and it was aimed at healthcare and technology firms in the United States, Canada, and Europe.
It has left a number of other footprints in the cybersecurity world since then. Its most recent version, with some additional features and long-term support, has been available on a hacker forum since last month.
By releasing a new variation of Zeppelin RaaS, the malware’s handlers have resumed their operations. On April 27, the malware’s creators released a new edition, which is believed to improve the stability of its encryption process.
The cost of this version of Zeppelin is $2,300 per core build.
Delivery
The Zeppelin ransomware is usually delivered by phishing emails that contain macro-laden attachments in Microsoft Word documents. On an already infiltrated network, Zeppelin was also distributed utilising the ConnectWise Control (formally Screen connect) remote management software. The user is tricked into allowing macros when they open the infected Word document, which subsequently extract a downloader script concealed inside the text content.
After downloading Zeppelin, this script sleeps for 26 seconds. Before launching the ransomware, this is employed as an evasion method to prevent dynamic analysis in an automated sandbox.
Working Mechanism & Modus Operandi
This ransomware encrypts all files on all drives and network shares once it is initiated. Zeppelin uses the same encryption algorithm as another Vega variant. Furthermore, the developers guarantee that any potential buyers who approach them directly would receive additional perks.
Operators of the Zeppelin do not use any data leak sites, implying that they still use data encryption and do not steal data. To target its victims, Zeppelin employs common initial attack vectors such as RDP, VPN vulnerabilities, and phishing.
Users in Russia and adjacent countries such as Belarus, Kazakhstan, and Ukraine are not infected by this ransomware.
Mitigation
Despite the fact that this malware lacks the fatal capabilities of double extortion, it is capable of causing significant damage. As a result, security experts advise that external connectivity alternatives such as remote desktop and VPN be monitored and audited on a regular basis to safeguard against this threat.
If a device on your network is infected with ransomware, it will begin encrypting files, which could include remote files on your network. The only option to recover from a ransomware attack is to restore all of the files from the most recent backup.