Researchers from BleepingComputer reported that operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed their operations after a temporary interruption. Unlike other ransomware, Zeppelin operators do not steal data from the victims and don’t run a leak site.
Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin. The new variant was involved in attacks aimed at technology and healthcare companies across Europe, the United States, and Canada. Zeppelin was first discovered in November, at the time it was distributed through watering hole attack in which the PowerShell payloads were hosted on the Pastebin website.
Unlike other variants of the Vega ransomware, the Zeppelin ransomware doesn’t infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan.
Upon execution, the ransomware enumerates files on all drives and network shares and attempt to encrypt them, experts noticed that the encryption algorithm used is the same as the one of the other Vega variants.
Last month experts spotted a new variant of the ransomware on a hacker forum allowing buyers to opt how to use the malware.
“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%).” reported BleepingComputer.
Researchers from Advanced Intel (AdvIntel) reported that developers of the Zeppelin ransomware updated their malware in April implementing some enhancements.
The malware was available for sale at a price tag of $2,300 per core build, but they offered individual conditions to their subscribers.
Advanced Intel researchers pointed out that even if the Zeppelin gang doesn’t implement a common RaaS model, they represent a serious threat to organizations worldwide.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…
The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…
Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…
A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…
Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…
This website uses cookies.
