A new variant of Vega ransomware family, dubbed Zeppelin, has recently been spotted in the wild targeting technology and healthcare companies across Europe, the United States, and Canada.
However, if you reside in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, breathe a sigh of relief, as the ransomware terminates its operations if found itself on machines located in these regions.
It’s notable and interesting because all previous variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users, which indicates Zeppelin is not the work of the same hacking group behind the previous attacks.
Since Vega ransomware and its previous variants were offered as a service on underground forums, researchers at BlackBerry Cylance believes either Zeppelin “ended up in the hands of different threat actors” or “redeveloped from bought/stolen/leaked sources.”
According to a report BlackBerry Cylance shared with The Hacker News, Zeppelin is a Delphi-based highly-configurable ransomware that can easily be customized to enable or disable various features, depending upon victims or requirements of attackers.
Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:
- IP Logger — to track the IP addresses and location of victims
- Startup — to gain persistence
- Delete backups — to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
- Task-killer — kill attacker-specified processes
- Auto-unlock — to unlock files that appear locked during encryption
- Melt — to inject self-deletion thread to notepad.exe
- UAC prompt — try running the ransomware with elevated privileges
Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.
images from Hacker News