It has been used to target small numbers of healthcare and technology-related companies in the US, Canada and Europe in recent weeks. An analysis of the code reveals that Zeppelin is related to, but distinct from the VegaLocker ransomware family.
The code has been heavily modified and enhanced though, to the point that the researchers felt confident in calling it a brand-new strain.
The new threat is primarily spread in supply-chain attacks via Managed Security Service Providers, which makes it functionally similar to the Sodinokibi ransomware family. Of interest, the code is incredibly configurable. Researchers surmise that it’s being offered in underground forums as a “Software as Service,” with third-party hackers paying for the right to use it, then customizing it to their needs.
Zeppelin was first compiled in early November 2019, and since that time, it has been used on a limited basis against what the researchers describe as “a few carefully selected targets”.
They also had this to say about their recent discovery:
“There seem to be a limited number of victims, and we haven’t seen the malware being used in any wide-spread distribution campaign so far, therefore it looks like the threat actors are rather careful in whom they are targeting…one of the possibilities is that the campaign didn’t yet fully take off and the current victims are only the ‘patient zero’ in some kind of test run.
The advice is the same as always: use a comprehensive security solution, maintain up-to-date operating systems, perform regular backups – and keep them on mediums that are usually disconnected from the network, educate your personnel on basic security guidelines, stay cautious and vigilant.”
It’s very good advice. Although not yet widespread, Zeppelin poses a serious threat indeed.