New VegaLocker ransomware variant targets healthcare and IT sectors

• It was being used in targeted attacks against healthcare and other tech companies in U.S., Canada, and Europe.
• The threat actors are believed to have dropped the ransomware through Remote Desktop servers that are publicly exposed to the Internet.

Cybercriminals have developed a new ransomware variant called Zeppelin. It is being used to target healthcare and tech companies in U.S., Canada, and Europe. The ransomware is reportedly a new variant of the VegaLocker/Buran Ransomware.

Backstory of the ransomware family

Beginning its journey as VegaLocker, the ransomware evolved into a Ransomware-as-a-Service (RaaS) on Russian hacker forums under the name Buran in May 2019. Affiliates who joined the RaaS would earn 75 percent of the ransom payment, while the Buran operators would earn 25 percent. The latest variant of this ransomware family is now Zeppelin.

The Zeppelin Ransomware

In a new report from BlackBerry Cylance, researchers detailed the discovery of this new ransomware. Zeppelin was being used in targeted attacks against healthcare and other tech companies in U.S., Canada, and Europe. Researchers believe the ransomware also targeted MSPs in order to further infect customers via management software.

"The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin - with compilation timestamps no earlier than November 6, 2019 - were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the US," the researchers wrote.

Meanwhile, it isn’t known exactly how the Zeppelin ransomware is being distributed, but it is likely through Remote Desktop servers that are publicly exposed to the Internet.

How it works?

As mentioned earlier, threats actors are believed to have dropped ransomware through Remote Desktop servers that are publicly exposed to the Internet.

• Like other Russian-based ransomware, Zeppelin first checks for the users’ nationality for CIS countries such as Russia, Ukraine, Belarus, and Kazakhstan.
• It either checks the configured language in Windows or default country code set by the users.
• When confirmed, the ransomware then begins terminating various processes including ones associated with the database, backup, and mail servers.
• When encrypting files, the ransomware does not add any extension and the file name is kept the same as well. However, it includes a file marker called Zeppelin that may be surrounded by different symbols depending on the hex editor and character format used by the user on the target system.

While encrypting files, it creates ransom notes named "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT". These notes contain information on what has happened to the victim's files, how they can contact hackers for payment instructions, or how they can test decryption of one file for free.

Final words

Unfortunately, at the moment, no decryptor is available for recovering the files encrypted by Zeppelin for free. It is therefore suggested that users restore from backups if at all possible.