A new variant of Vega ransomware family, called Zeppelin was found to be targeting technology and healthcare companies across Europe, the United States, and Canada.
All the earlier variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users. But it is a relief for those companies located in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, as the ransomware terminates its operations if found itself on machines located in these regions.
This indicates that Zeppelin is the not the work of the same hacking group behind the previous attacks.
Vega ransomware and its previous variants were offered as a service on underground forums. So, the security researchers at BlackBerry Cylance states that Zeppelin might be the work of a different threat actor or might have been redeveloped from other sources.
According to a report by BlackBerry Cylance, Zeppelin is a Delphi-based highly-configurable ransomware that can easily be customized to enable or disable various features, depending upon victims or requirements of attackers.
Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:
- IP Logger : to track the IP addresses and location of victims
- Startup : to gain persistence
- Delete backups : to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
- Task-killer : kill attacker-specified processes
- Auto-unlock : to unlock files that appear locked during encryption
- Melt : to inject self-deletion thread to notepad.exe
- UAC prompt : try running the ransomware with elevated privileges
The researchers stated that Zeppelin employs a standard combination of symmetric file encryption with randomly generated keys for each file (AES-256 in CBC mode), and asymmetric encryption used to protect the session key (using a custom RSA implementation, possibly developed in-house).
Some of the samples will encrypt only the first 0x1000 bytes (4KB), instead of 0x10000 (65KB). It might be either an unintended bug or a conscious choice to speed up the encryption process while rendering most files unusable anyway.
The Zeppelin builder allows attackers to configure the content of the ransom note text file, which is dropped on the system and displayed to the victim after encrypting the files.
The researchers have revealed several different versions, ranging from short, generic messages to more elaborate ransom notes targeted to individual organizations.
All the messages instruct the victim to contact the attacker via a provided email addresses and quote their personal ID number.
In order to avoid being detected, Zeppelin ransomware relies on multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, using code of varying sizes, as well as delays in execution to outrun sandboxes and deceive heuristic mechanisms.
This ransomware was first discovered a month ago when it was distributed through water-holed websites with its PowerShell payloads hosted on the Pastebin website.
The researchers have shared indicators of compromise (IoC) in their blog post. It is found that almost 30 percent of antivirus solutions are not able to detect this ransomware threat.