Zeppelin Ransomware Targets High Profile Users in the U.S. and Europe (Dec 11, 2019)
A new variant of Vega and VegaLocker Ransomware-as-a-Service (RaaS) have been identified by the Cylance Threat Research Team, leading researchers to believe that the ransomware is now in the hands of new threat actors. “Vega”, a Delphi-based ransomware aimed at Russian-speaking users and delivered via the RIG Exploit Kit (EK), has been redesigned several times throughout 2019, each version bearing a new name. This newest variant, dubbed “Zeppelin,” was first observed in early November 2019, targeting healthcare and tech companies in Europe and the United States. Targeting behaviors suggest that Zeppelin has been bought and sold to a new threat actor, or has been redeveloped using stolen or leaked sources. Zeppelin is highly configurable and can be deployed to targets as EXE, DLL files, or bundled into a PowerShell loader. The malware begins its installation with a temporary folder named “.zeppelin” before spreading and encrypting files. While the amount of the ransom shifts among targeted organizations, all ransom demands are made in a text file and are to be paid in Bitcoin.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.