Security researchers at Blackberry Cylance have identified a new variant of Buran ransomware which is being used in targeted attacks on technology and healthcare companies in Europe and the United States.
The new ransomware variant was first detected on November 6, 2019. It is written in Delphi and is a member of the VegaLocker and Buran ransomware family. It is believed to be distributed under the ransomware-as-a-service model.
The first ransomware variants from this family were detected in early 2019 and were being distributed via malvertising campaigns on a Russian advertising network. Attacks were primarily conducted in Russia; however, Zeppelin ransomware does not run in Russia, Belarus, Ukraine, or Kazakhstan. When executed, the ransomware will check the language and default country code and will obtain the IP address. It will exit if it determines it is in one of those four countries.
Currently, the exact method of delivery of Zeppelin ransomware is not known, but the targets appear to have been carefully selected. Managed Service Providers (MSPs), technology companies, and healthcare organizations are being targeted.
The ransomware is configurable and can be delivered as a .exe or .dll file, and samples have been detected wrapped in PowerShell, with the latter hosted on Pastebin. The .exe and .dll samples were found on water-hole websites.
The change in targeted countries suggests different threat actors are involved with Zeppelin than the earlier VegaLocker/Buran ransomware variants and that the ransomware is likely to be distributed under RaaS or the source code has been stolen or purchased.
Similar to Ryuk and Sodinokibi ransomware, the threat actors appear to have targeted MSPs. This tactic is proving popular as it allows the attackers to use the remote administration tools of MSPs to conduct attacks on its clients and obtain multiple ransom payments.
Once Zeppelin ransomware has been downloaded and executed it immediately terminates processes associated with file backups, mail services, and databases.
When files are encrypted, the file name and extension remain the same, but a file marker is used that includes the name Zeppelin. A ransomware note is downloaded that contains email addresses for victims to make contact and find out about the ransom amount. The threat actors also offer victims the chance to decrypt one file free of charge to prove that they hold valid decryption keys.
Several different versions of ransom notes have been identified, some of which are personalized and include the name of the attacked company. That further suggests the ransomware is being distributed by affiliates under a RaaS model.
The ransomware does not encrypt entire files, only the first 1000 bytes but that is sufficient to render files unusable. It is believed that this method has been chosen to speed up the encryption process.
Currently no free decryptor for Zeppelin ransomware exists. All encrypted files will need to be recovered from backups or the ransom will have to be paid.