Security researchers have named a new variant of Vega ransomware, titled Zeppelin, which is reported to be currently targeting the health care and IT sectors in the U.S. and in Europe.
According to the BlackBerry Cylance Threat Research team, the latest ransomware was discovered to be designed by cybercriminals to have mostly the same code and features as its predecessors VegaLocker. However, despite these similarities, the researchers clarified that the campaign in which it is used differs significantly compared to the campaign in which the previous versions of the malware were used.
“The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin–with compilation timestamps no earlier than November 6, 2019–were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S.,” the Cylance Threat Research Team revealed Wednesday, Dec. 11.
As explained by the group, Zeppelin comes as highly-configurable ransomware that can easily be deployed as an EXE, DLL, or wrapped in a PowerShell loader. Once installed, the malware will check the victim’s country code to make sure it’s not running in countries like the Russian Federation, Ukraine, Belorussia, and Kazakhstan.
After the encryption, the malware will use a Notepad to leave a ransom note that says:
“!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases, and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase a unique private key. Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an email: bad_sysadmin(at)protonmail[.]com and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
Write to email:bad_sysadmin(at)protonmail[.]com
Your personal ID: <!--ID-->”
Given the major shift in targets and malware deployment methods, researchers believe that Zeppelin most likely is now under the control of different threat actors, which either use the ransomware as a service or have redeveloped it from bought or stolen sources.
The researchers also claimed that there’s a possibility that at least some of the Zeppelin attacks were conducted through MSSPs, which aligns with another recent campaign that involves the use of Sodinokibi ransomware.
“The ongoing refinement of ransomware attacks serves as a stark reminder that effective cybersecurity should be proactive, predictive, adaptive, and semi-autonomous,” Cylance Threat Research team concludes.