Highly Targeted ‘Zeppelin’ Ransomware Hits Tech, Healthcare Firms
A new, highly targeted piece of ransomware has hit a handful of tech and healthcare companies in Europe and the United States, BlackBerry Cylance reports.
Caled “Zeppelin“, the malware is the latest addition to Vega (VegaLocker), the Delphi-based Ransomware-as-a-Service (RaaS) family that also includes variants such as Jamper, Storm, Buran, and more. Vega was initially observed in early 2019 targeting Russian users.
Unlike the Vega campaign, which had a broad reach, the Zeppelin attacks are targeted and the malware was designed to abort the infection process if the machine is based in Russia or ex-USSR countries.
The first samples of Zeppelin have compilation timestamps starting on November 6, 2019 and reveal that the malware is highly configurable, as it can be deployed as an EXE, DLL, or even wrapped in a PowerShell loader.
Water-holed websites and Pastebin (in the case of PowerShell) were used to host the samples and at least some attacks were conducted via MSSPs, similar to the highly targeted Sodinokibi ransomware, BlackBerry Cylance notes.
Zeppelin uses obfuscation to hide sensitive strings and employs different RC4 keys for each sample. Most of the binaries are not packed, but BlackBerry Cylance’s security researchers discovered some executables protected with additional polymorphic obfuscation software.
Options that can be set from the Zeppelin builder user-interface during generation of the ransomware binary include running as DLL, determining the victim IP address, copying itself to a different location and setting up persistence, erasing backups and disabling recovery, killing processes, unlocking files for encryption, erasing itself before exiting, and attempting to gain elevated privileges or re-run.
The .itext section of Zeppelin’s binary stores configuration data such as hardcoded public key, GUID, URL address for IPLogger check-in, excluded folders list/files list/extensions list, list of processes to kill/commands to run, and readme file name and content.
When executed, the malware checks the victim’s country code and exits if it detects a machine from the Russian Federation, Ukraine, Belorussia, or Kazakhstan.
The malware uses a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption to protect the session key.
The ransomware enumerates files on all drives and network shares and encrypts all files that don’t match the excluded files/extensions list. When the encryption process has been completed, Zeppelin drops a ransom note text file and display it in notepad.
The dropped ransom notes might range from short, generic messages to elaborate notes tailored to individual organizations, the security researchers say. Victims are instructed to contact the attacker via email and to provide a personal ID number.
“The actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors. Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve,” BlackBerry Cylance concludes.