Zeppelin ransomware Attacks major organizations in Europe, US and Canada

Zeppelin ransomware is a new dangerous file-encoding malware that has been found to be infecting large healthcare and technology organizations worldwide. Victims of this deadly crypto-threat are largely from USA, Canada and Europe. Reports from Cylance researchers suggest that this virus is known to be Delphi-based RaaS and belongs to the family of Vega/Vegalocker ransomware. The initial Vegalocker threats were spotted at the beginning of 2019 attacking Russian speaking users.

Within a period of only a bit over a month, Zeppelin ransomware was modified so much and enhanced upon Vegalocker. According to the security researchers, there might be a different hacker group spreading it altogether. Malware analysis displayed that it is developed to prevent its execution if it infiltrates your PC that is situated in Russia or other countries that fall under USSR block in the past. In a stark opposition to the Vega campaign, all Zeppelin binaries (as well as some newer Buran samples) are designed to quit if running on machines that are based in Russia and some other ex-USSR countries.

Cylance claims that the initial traces of Zeppelin ransomware were spotted on November 6, 2019, and its primary targets were healthcare and technology companies from all over the globe. Another interesting trait that was spotted in Zeppelin ransomware was that it had multiple similarities with Sodinokibi ransomware when it comes to its distribution tactics, which include MSSPs (Managed Security Service Providers) in supply-chain attempts,[4] malvertising, as well as targeted waterhole attempts.

Zeppelin ransomware uses the same encryption algorithm as Vegalocker – AES-256 in CBC mode. However, each of the files is then encrypted repeatedly with a custom-built RSA cipher, as claimed by Cylance researchers. The specialists have also discovered another very interesting fact about Zeppelin ransomware – it locks only the primary 0x1000 bytes (4KB), but not the 0x10000 (65KB). Researchers claim that this function might be a bug included in the malware’s module or intentional action for making the encryption faster.