A new ransomware has been spotted in the wild, and it’s targeting healthcare and technology companies in Europe and the United States.
The ransomware, known as Zeppelin, appears to be apart of the network encrypting malware, Vegalocker. However, Zeppelin has been re-developed and improved to such an extent that security analysts have classified it as a new form of ransomware.
It’s worth noting, that previous variants from the Vega family primarily targeted Russian speaking users. But, The Hacker News reports, that companies in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, are not at risk because “the ransomware terminates its operations if found itself on machines located in these regions.”
According to researchers at BlackBherry Cylance, Zeppelin is spread in a supply chain attack via Managed Service Providers (MSSPs). Even worse, the ransomware is highly configurable and can be deployed as EXE, DLL files or bundled into a PowerShell loader.
However, regardless of how its deployed, ZDNet reports, that “Zeppelin begins its installation with a temporary folder named .zeppelin, before spreading itself around the target machine.”
Once installed, Zeppelin encrypts victims files and uses a private key to tell victims apart.
Even more, Zeppelin ransom notes are tailored to individual organizations. Researchers say the notes range from short and generic to elaborate messages. One thing all of the notes have in common, however, is the demand to be paid in bitcoin.
Currently, researchers believe that Zeppelin is being distributed as-a-service on the dark web — with each cybercriminal tailoring it to fit their needs.