Cybercriminals have spun off a ransomware that was originally known to target Russian organizations into a new malicious encryptor used in targeted campaigns against strategically selected health care and IT companies in America and Europe.
Dubbed Zeppelin, the new ransomware is a descendant of VegaLocker, a Delphi-based Ransomware-as-a-Service (RaaS) offering that was discovered in early 2019 and quickly evolved into variants such as Jamper and Buran. While this family of ransomware was notably observed in a malvertising campaign targeting Russian-speaking accountants, the new Zeppelin strain has clearly pursued an entirely different agenda, and furthermore is “visibly distinct” from its predecessors, according to blog post published yesterday by the Cylance Threat Research Team.
Cylance, a division of BlackBerry, theorizes that Zeppelin is being deployed by a different group of threat actors than those who operated any of the earlier VegaLocker variants. The new actors could be cybercriminal affiliates who entered into an RaaS arrangement with Zeppelin’s true owners, or if they somehow obtained VegaLocker’s or Buran’s source code they could have perhaps redeveloped it themselves into the latest iteration.
Either way, Cylance says the Zeppelin actors appear to have “carefully chosen” their targeted organizations in a campaign that dates back to at least Nov. 6, 2019, based on the timestamps of the ransomware’s earliest known samples. Samples were found hosted on compromised websites as well as on Pastebin. Furthermore, “There are reasons to believe at least some of the attacks were conducted through MSSPs [Managed Security Service Provider],” the blog post continues.
Cylance notes that Zeppelin ..