What Is It?

Researchers at Blackberry Cylance have discovered a new ransomware variant they’ve named Zeppelin, due to a string that is inserted into the files that it encrypts. Rather than an entirely new ransomware family, they believe Zeppelin to be the newest variant of the Vega (also known as VegaLocker) ransomware, first seen in early 2019. Researchers have observed Zeppelin deployed by attackers in targeted attacks against healthcare and IT organizations in both Europe and the United States. Some of the victims were managed service providers, seemingly chosen for the ability to infect customer systems, reminiscent of recent Sodinokibi ransomware attacks.

Zeppelin utilizes a variety of techniques in an attempt to evade detection. It is written in the Delphi programming language, a so-called “high level” programming language, meaning it is closer to English than machine language. The fact Delphi source code is easy to read is countered by the fact that it is actually more difficult and/or time consuming to reverse engineer and analyze than other languages.

As with most malware, particularly ransomware, created by Russian-speaking attackers, Zeppelin is designed to harmlessly exit if it detects it is running on systems located in Russia and a number of former Soviet republics. Text strings are often used by legacy signature-based products for detection, therefore Zeppelin uses RC4 encryption to protect many strings. It also attempts to appear benign by making various calls to Windows API routines which would not normally be considered suspicious. Loops are used to try to evade sandbox detection.

As is common with current ransomware, Zeppelin begins by terminating processes for various email, backup and database products, ensuring the maximum number of important data files can be encrypted. When Zeppelin beings encrypting files, it begins with files on the current drive. It will then create additional processes to handle encryption of network shares and other attached drives. It does not alter the filenames of encrypted files. The ransom note provides an email address to contact the attackers to determine payment details or to be able to decrypt one file for free. It is believed Zeppelin is cryptographically secure and that having current backups or paying the ransom are the only ways to restore encrypted files.

How Does It Propagate?

It is believed Zeppelin ransomware is reaching targeted networks by compromised internet-facing Remote Desktop servers.

When/How Did BluVector Detect It?

Six samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 71 months prior to their release.