• About
  • Advertise
  • Careers
  • Contact
Monday, February 6, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Cyber Attacks

New Zeppelin Ransomware Targeting Tech and Health Companies

by Cyber360 News
December 11, 2019
in Cyber Attacks
0
Zeppelin Ransomware
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

A new variant of Vega ransomware family, dubbed Zeppelin, has recently been spotted in the wild targeting technology and healthcare companies across Europe, the United States, and Canada.

However, if you reside in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, breathe a sigh of relief, as the ransomware terminates its operations if found itself on machines located in these regions.

It’s notable and interesting because all previous variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users, which indicates Zeppelin is not the work of the same hacking group behind the previous attacks.

Since Vega ransomware and its previous variants were offered as a service on underground forums, researchers at BlackBerry Cylance believes either Zeppelin “ended up in the hands of different threat actors” or “redeveloped from bought/stolen/leaked sources.”

According to a report BlackBerry Cylance shared with The Hacker News, Zeppelin is a Delphi-based highly-configurable ransomware that can easily be customized to enable or disable various features, depending upon victims or requirements of attackers.

Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:

  • IP Logger — to track the IP addresses and location of victims
  • Startup — to gain persistence
  • Delete backups — to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
  • Task-killer — kill attacker-specified processes
  • Auto-unlock — to unlock files that appear locked during encryption
  • Melt — to inject self-deletion thread to notepad.exe
  • UAC prompt — try running the ransomware with elevated privileges

Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.

Zeppelin Ransomware

“[Zeppelin] employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house),” the researchers explain.

“Interestingly, some of the samples will encrypt only the first 0x1000 bytes (4KB), instead of 0x10000 (65KB). It might be either an unintended bug or a conscious choice to speed up the encryption process while rendering most files unusable anyway.”

Besides what features to be enabled and what files to be encrypted, the Zeppelin builder also allows attackers to configure the content of the ransom note text file, which it drops on the system and displays to the victim after encrypting the files.

“BlackBerry Cylance researchers have uncovered several different versions, ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations,” the researchers say.

Web Application Firewall

“All the messages instruct the victim to contact the attacker via a provided email addresses and quote their personal ID number.”

To evade detection, Zeppelin ransomware relies on multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, using code of varying sizes, as well as delays in execution to outrun sandboxes and deceive heuristic mechanisms.

Zeppelin was first discovered almost a month ago when it was distributed through water-holed websites with its PowerShell payloads hosted on the Pastebin website.

Researchers believe that at least some of the Zeppelin attacks were “conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used ransomware called Sodinokibi,” also known as Sodin or REvil.

The researchers have also shared indicators of compromise (IoC) in its blog post. At the time of writing, almost 30 percent of antivirus solutions are not able to detect this particular ransomware threat.

Cyber360 News

Cyber360 News

Next Post

Real-time phishing alerts and stolen password warnings added to Chrome

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In