A new, highly targeted piece of ransomware has hit a handful of healthcare and technology companies in Europe and the US, BlackBerry Cylance reports.
Called “Zeppelin,” the malware is the latest addition to the Delphi-based family of Ransomware-as – a-Service (RaaS) Vega (VegaLocker), which also includes versions such as Jamper, Storm, Buran, and more. Vega was initially observed targeting Russian users in early 2019.
In contrast to the large-scale Vega campaign, the Zeppelin attacks have been aimed at aborting the infection process if the machine is in Russia or former USSR countries.
The first Zeppelin samples have time stamps to begin compiling on November 6, 2019 and demonstrate that it can be used in an EXE, DLL, or even bundled in a PowerShell loader.
For hosting the samples and at least some attacks are performed via MSSPs similar to the highly targeted Sodinokibi ransomware, BlackBerry Cylance notes. Waterholed websites and Pastebin (in the case of PowerShell).
Zeppelin covers sensitive strings with obsfuscation and uses different RC4 keys for each test. Most of the binaries are not packaged, but security scientists at BlackBerry Cylance found some executables protected with additional polymorphic obstruction software.
Options can be set from the user interface builder Zeppelin during ransomware binary generation include DLL, deciding victims IP address, copying and persistence settings to another location, deleting backUps and disabling recovery, destroying processes, unlocking files to authentication, deleting oneself before leaving and trying to gain increased privileges.
In the.itext portion of the Zeppelin Binary, configuration data is stored such as the GUID, IPLogger search in’URL, the list / directory list / extension list of excluded files, the list of processes to execute kill / commands, and the file name and content of Readme.
The malware tests the country code of the victim when it is run and leaves it if a computer from the Russian Federation, Ukraine, Belarus or Kazakhstan is identified.
The malware uses a standard file encryption combination of randomly generated keys for each file (AES-256 in CBC mode) and asymmetrical encryption to protect the session key.
The ransomware list files on all disks and shares in the network and encrypts all files that do not fit the excluded files / extension set. After the encryption is complete, Zeppelin will drop a ransom note text file and display it in the notepad.
The dropped ransom notes can vary from short, standard messages to complex notes tailored to each organization, according to security scientists. Victims will contact the perpetrator by email and provide their personal identification number.
“The actors behind Zeppelin show their devotion to their art by critical attacks on high-profile IT and health objectives. Targeting specific companies is just one example of how the ransomware attacks tend to grow instead of every open client, “concludes BlackBerry Cylance.