Zeppelin Ransomware Re-emerges as a New Threat for Healthcare Sector

What happened?

• First identified in late 2019, Zeppelin is a variant of the VegaLocker/Buran ransomware-as-a-service family that has sailed back into relevance, after a hiatus of several months.
• This month, Juniper Threatlab researchers released an analysis of a new ransomware campaign calling itself Zeppelin, with a new targeted campaign and a new infection routine.
• Similar to its earlier variant, the malware targets technology and healthcare sectors. Somehow, it avoids infecting computers in Russia, Belarus, Kazakhstan, and Ukraine.
• The wave of attacks remained largely undetected by antivirus applications, due to Zeppelin’s use of a new trojan downloader about1.vbs, hidden in the garbage text of Visual Basic scripts.
• The campaign started in early-June and ran until August.

Alluring healthcare sector

• Zeppelin’s attack methods are similar to the Sodinokibi (REvil) ransomware variant. In recent times, many other ransomware variants have targeted healthcare facilities and officials through specially crafted malspam.
• In August, REvil ransomware operators had breached the Valley Health Systems and stolen sensitive data, including information related to clients, employees, and patients.
• In the same month, Maze ransomware operators targeted Ventura Orthopedics and uploaded an archive of stolen files on their leak site.
• The Netwalker ransomware operators were also seen targeting The Center for Fertility and Gynecology.

The bottom line