A new variant of Vega ransomware family, dubbed Zeppelin, has recently been spotted in the wild targeting technology and healthcare companies across Europe, the United States, and Canada.
However, if you reside in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, breathe a sigh of relief, as the ransomware terminates its operations if found itself on machines located in these regions.
It’s notable and interesting because all previous variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users, which indicates Zeppelin is not the work of the same hacking group behind the previous attacks.
Since Vega ransomware and its previous variants were offered as a service on underground forums, researchers at BlackBerry Cylance believes either Zeppelin “ended up in the hands of different threat actors” or “redeveloped from bought/stolen/leaked sources.”
According to a report BlackBerry Cylance shared with The Hacker News, Zeppelin is a Delphi-based highly-configurable ransomware that can easily be customized to enable or disable various features, depending upon victims or requirements of attackers.
Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:
- IP Logger — to track the IP addresses and location of victims
- Startup — to gain persistence
- Delete backups — to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
- Task-killer — kill attacker-specified processes
- Auto-unlock — to unlock files that appear locked during encryption
- Melt — to inject self-deletion thread to notepad.exe
- UAC prompt — try running the ransomware with elevated privileges
Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.
“[Zeppelin] employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house),” the researchers explain.
“Interestingly, some of the samples will encrypt only the first 0x1000 bytes (4KB), instead of 0x10000 (65KB). It might be either an unintended bug or a conscious choice to speed up the encryption process while rendering most files unusable anyway.”
Besides what features to be enabled and what files to be encrypted, the Zeppelin builder also allows attackers to configure the content of the ransom note text file, which it drops on the system and displays to the victim after encrypting the files.
“BlackBerry Cylance researchers have uncovered several different versions, ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations,” the researchers say.
“All the messages instruct the victim to contact the attacker via a provided email addresses and quote their personal ID number.”
To evade detection, Zeppelin ransomware relies on multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, using code of varying sizes, as well as delays in execution to outrun sandboxes and deceive heuristic mechanisms.
Zeppelin was first discovered almost a month ago when it was distributed through water-holed websites with its PowerShell payloads hosted on the Pastebin website.
Researchers believe that at least some of the Zeppelin attacks were “conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used ransomware called Sodinokibi,” also known as Sodin or REvil.
The researchers have also shared indicators of compromise (IoC) in its blog post. At the time of writing, almost 30 percent of antivirus solutions are not able to detect this particular ransomware threat.
