NewsSecurity News

Zeppelin Ransomware

Jason Davies 2573 Views 0 Comments 1 min read

Zeppelin is an advanced ransomware-as-a-service tool based on the VegaLocker and Buran malware. Despite sharing large amounts of its code with these older tools, Zeppelin appears to be explicitly targeted at healthcare and technology organisations throughout Western Europe and the USA.

At the time of publication, it is unclear how Zeppelin is delivered, although there are unconfirmed reports indicating it may be distributed via exposed Remote Desktop Services ports or though malvertising attacks in a similar manner to Buran.

Once delivered, Zeppelin will check the default language of the affected system and will terminate itself if Russian, Ukrainian, Kazakh, or Belarusian are detected. It then connects to a command and control server, which in turn sends an encryption command.

Zeppelin will then attempt to terminate a number of database, recovery, and mail services before encrypting all reachable non-system files using an AES-256 algorithm in CBC mode. The AES keys are then themselves encrypted using a custom RSA-512 implementation.

Indicators of Compromise

URLs

  • iplogger[.]org/1H7Yt7.jpg
  • iplogger[.]org/1HCne7.jpeg
  • iplogger[.]org/1Hpee7.jpeg
  • iplogger[.]org/1HVwe7.png
  • iplogger[.]org/1syG87
  • iplogger[.]org/1wF9i7.jpeg

Email Addresses

  • bad_sysadmin@protonmail[.]com
  • buratin@torbox3uiot6wchz[.]onion
  • buratino@firemail[.]cc
  • buratino2@tutanota[.]com
  • ran-unlock@protonmail[.]com
  • ranunlock@cock[.]li
  • Vsbb@firemail[.]cc
  • Vsbb@tutanota[.]com

Registry Keys

  • HKCU\Software\Zeppelin

SHA256 File Hashes

  • 04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722
  • 1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc
  • 39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4
  • 4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf
  • d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86
  • e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7

MD5

  • CFCBD89AC2A32EF179CB39ABB569A952
  • BFDFD9874072B6340660B501F1BD7A33
  • FEE6BA9A0D7A805B3281D4F955821C1C
  • A8E670C63E257049A7BCAE632C9ACEF6
  • 0E06F623BC4EEFA97A84EDEDFBB6BB7E
  • 3F120DE1249E8724EC1C1EF255F26067
  • 0D442C4D8B4C4312840675CAC8D69661
  • 58F53C8034A1E0AC1174595909DDF88C
  • 386157F4CAB9327D01A7210DA9237EF0
  • 357B149A0F40224DB5D359DB104A6778
  • 68CCFAF0F453CC45FAAA8F653AB9C983
  • AED10704BFB8F9EFF057D5523B9AD431

IP Addresses

  • 45.142.213[.]167
  • 216.249.104[.]215

Jason Davies

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.