Cybercriminals have developed a new ransomware variant called Zeppelin. It is being used to target healthcare and tech companies in U.S., Canada, and Europe. The ransomware is reportedly a new variant of the VegaLocker/Buran Ransomware.
Backstory of the ransomware family
Beginning its journey as VegaLocker, the ransomware evolved into a Ransomware-as-a-Service (RaaS) on Russian hacker forums under the name Buran in May 2019. Affiliates who joined the RaaS would earn 75 percent of the ransom payment, while the Buran operators would earn 25 percent. The latest variant of this ransomware family is now Zeppelin.
The Zeppelin Ransomware
In a new report from BlackBerry Cylance, researchers detailed the discovery of this new ransomware. Zeppelin was being used in targeted attacks against healthcare and other tech companies in U.S., Canada, and Europe. Researchers believe the ransomware also targeted MSPs in order to further infect customers via management software.
"The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin - with compilation timestamps no earlier than November 6, 2019 - were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the US," the researchers wrote.
Meanwhile, it isn’t known exactly how the Zeppelin ransomware is being distributed, but it is likely through Remote Desktop servers that are publicly exposed to the Internet.
How it works?
As mentioned earlier, threats actors are believed to have dropped ransomware through Remote Desktop servers that are publicly exposed to the Internet.
While encrypting files, it creates ransom notes named "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT". These notes contain information on what has happened to the victim's files, how they can contact hackers for payment instructions, or how they can test decryption of one file for free.
Unfortunately, at the moment, no decryptor is available for recovering the files encrypted by Zeppelin for free. It is therefore suggested that users restore from backups if at all possible.