After a period of relative silence, the operators of Zeppelin ransomware have returned with a new version of their malware. They started to advertise it on hacker forums.
The updated Zeppelin first became available on a hacker forum at the end of April.
Zeppelin (also referred to as Buran) took its origins from the Vega/VegaLocker family, a Delphi-based ransomware-as-a-service (RaaS) that was distributed on Russian-speaking hacker forums in 2019.
The Zeppelin ransomware gang is one of the few ransomware gangs that does not adopt the classic RaaS model. Zeppelin is different from other RaaS operations in that it gives buyers complete independence in how they use the malware. The Zeppelin authors also have individual partnerships with certain users of the malware.
This is in contrast with the classic RaaS operations, where the two parties then paid ransoms, with the affiliates getting the most of the money and the main gang getting the smaller piece usually up to 30%.
Furthermore, Zeppelin operators do not run a leak site and they encrypt the victim’s data without stealing it.
Researchers from a security company AdvIntel detected that a spike in Zeppelin ransomware operators’ activity in March when they announced “a major update for the software.” A new round of sales followed the news. AdvIntel head of research Yelisey Boguslavskiy said that the current Zeppelin version comes at a price of $2,300.
Since the major update, Zeppelin developers have also released another update on April 27 that increased the stability of the encryption.
They also assured regular customers that work on improving the malware doesn’t stop:
“We continue to work. We provide individual conditions and a loyal approach for each subscriber, the conditions are negotiable.”
Boguslavskiy said Zeppelin operators prefer to work on “a more extended scope of operations” with a limited number of close partners.
AdvIntel warns that despite the lack of organization typical to the RaaS model, Zeppelin could make it more difficult to fight the ransomware threat since access to the malware allows other developers to steal features for their products. AdvIntel says that Zeppelin’s buyers do not like to devise complicated attack vectors and rely on common initial entry points like RDP, VPN vulnerabilities, and phishing.
Even without the complexity of a typical RaaS operation, Zeppelin can be difficult to detect, especially when attackers use new downloaders, as Juniper Threat Labs discovered last year.