Zeppelin ransomware gang is back after a temporary pause

Operators behind the Zeppelin ransomware-as-a-service (RaaS) have resumed their operations after a temporary interruption.

Researchers from BleepingComputer reported that operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed their operations after a temporary interruption. Unlike other ransomware, Zeppelin operators do not steal data from the victims and don’t run a leak site.

Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin. The new variant was involved in attacks aimed at technology and healthcare companies across Europe, the United States, and Canada. Zeppelin was first discovered in November, at the time it was distributed through watering hole attack in which the PowerShell payloads were hosted on the Pastebin website.

Unlike other variants of the Vega ransomware, the Zeppelin ransomware doesn’t infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan.

Upon execution, the ransomware enumerates files on all drives and network shares and attempt to encrypt them, experts noticed that the encryption algorithm used is the same as the one of the other Vega variants.

Last month experts spotted a new variant of the ransomware on a hacker forum allowing buyers to opt how to use the malware.

“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%).” reported BleepingComputer.

Researchers from Advanced Intel (AdvIntel) reported that developers of the Zeppelin ransomware updated their malware in April implementing some enhancements.

The malware was available for sale at a price tag of $2,300 per core build, but they offered individual conditions to their subscribers.

Advanced Intel researchers pointed out that even if the Zeppelin gang doesn’t implement a common RaaS model, they represent a serious threat to organizations worldwide.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.