A new variant of the VegaLocker/Buran Ransomware called Zeppelin has been spotted infecting U.S. and European companies via targeted installs.

This family first started out as VegaLocker and then was renamed to Buran Ransomware, where it was promoted as Ransomware-as-a-Service (RaaS) in May 2019 on Russian malware and hacker forums. Affiliates who joined the RaaS would earn 75% of the ransom payment, while the Buran operators would earn 25%.

Buran Advertisement

(Source: Bromium)

Since then, new variants have been released called VegaLocker, Jamper, and since last month, we now have Zeppelin.

The Zeppelin Ransomware

In a new report from BlackBerry Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, BlackBerry Cylance​​​​​​​ believes that they targeted MSPs in order to further infect customers via management software.

"The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin - with compilation timestamps no earlier than November 6, 2019 - were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the US."

It is not known exactly how the Zeppelin ransomware is being distributed, but it is likely through Remote Desktop servers that are publicly exposed to the Internet.

Like many Russian-based ransomware, Zeppelin will check if the user is in any CIS countries such as Russia, Ukraine, Belorussia, and Kazakhstan by either checking the configured language in Windows or default country code.

If the victim passes this check, the ransomware will begin to terminate various processes including ones associated with database, backup, and mail servers.

When encrypting files, the ransomware will not append an extension and the file name will remain the same. It will, though, include a file marker called Zeppelin that may be surrounded by different symbols depending on the hex editor and character format you are using.

Zeppelin File Marker

While encrypting files, it will create ransom notes named !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT that contain information regarding what has happened to the victim's files. These notes will also contain email addresses that the victim can contact for payment instructions or to test decrypting one file for free.

Zeppelin Ransom Note

Unfortunately, at this time there has been no weaknesses discovered in the ransomware and there is no way to recover files for free.

It is suggested that users restore from backups if at all possible.

Zeppelin payload builder discovered

When researching this ransomware in late November, security researcher Vitali Kremez discovered a builder for the Zeppelin Ransomware that allow affiliates to build different types of payloads.

These payloads can either be an .exe, .dll, or a .ps1 script payloads so that they can be used in different types of attacks.

Zeppelin Rasomware Builder

This builder also allows the affiliate to create custom ransom notes that fit the theme of their attack.

For example, if they were targeting a particular company, they could configure the builder to specify the company name in the note to provide more impact.

Zeppelin has not reached the level of Ryuk, REvil, Maze, Bitpaymer, and DoppelPaymer in terms of wide scale distribution, this is definitely a ransomware family to keep an eye on as they evolve their attack methods and bring on new affiliates.

Update 12/11/19: Updated story to reflect that VegaLocker came first. Thx MalwareHunterTeam.

IOCs:

Ransom note text:

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: admin@datastex.club and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email:admin@datastex.club Reserved email: admin@datastex.xyz Your personal ID: 236-15B-2D2 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Associated file names:

!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Associated registry keys: