08 January, 2020
Health and Technology endangered by new Zeppelin Ransomware
Article: Ransomware
A latest avatar of Vega Ransomware out in the wild across continents targeting health and technology.
The first world is in trouble.
Medicine and technology, the two unavoidable ingredients of public life is targeted by the latest ransomware.
A new version of the Vega ransomware family, namely Zeppelin, has recently been discovered in the wild. The two main targets of this latest threat bug are technology and healthcare companies all over Europe, the United States, and Canada. Zeppelin is a Delphi-based highly-configurable ransomware adjustable according to the destructive desires of the attacker.
But, there is also a relief.
Countries like Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan are not the hit list of this dangerous ransomware variant as it stops its attacks on systems located in this region. The point to be noted here is that all the previous versions of the Vega ransomaware family includingVegaLocker were designed to target the natives of Russia. That proves this time the attacks are not the brainchild of the same hacking group.
There is yet another point of difference.
Researchers at BlackBerry Cylance believes either Zeppelin "ended up in the hands of different threat actors" or "redeveloped from bought/stolen/leaked sources.", the reason being the previous Vega ransomwares being offered as services on underground forums.
Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and is characterized by the following.
- IP Logger — to track the IP addresses and location of victims
- Startup — for persistence
- Delete backups — to abate some services, undo the recovery of files, delete backups and shadow copies, etc.
- Task-killer — kill attacker-specified processes
- Auto-unlock — to unlock files that appear locked during encryption
- Melt — to incorporate self-deletion thread to notepad.exe
- UAC prompt — try running the ransomware with elevated privileges
Depending on the configurations threat actors set from the Zeppelin builder user-interface during the execution of the ransomware binary, the malware lists files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.Not only does the Zeppelin builder configure files and features to be encrypted but also does the same to the content of the ransom note text file, which it leaves on the system and shows to the target after completing the malicious encryption tasks.
Zeppelin ransomware uses multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, using code of varying sizes, as well as delays in execution to outrun sandboxes and deceive heuristic mechanisms in order to avoid detection.
Zeppelin was first found out almost a month ago at the time when it was distributed through water-holed websites with its Power Shell payloads hosted on the Paste bin website.
Researchers are of the notion that some of the Zeppelin onslaughts were"conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used ransomware called Sodinokibi," also known as Sodin or REvil. They have also shown indicators of compromise (IoC) on their blog post and have said that almost 30% of antivirus solutions have not been able to nullify the effect of this ransonware.
Trust the power of experience and expertise to rid your system off the malicious hacking viruses. ISOAH has been doing that successfully for the longest time in India.
Click here to know more about us.
