The Delphi-based ransomware-as-a-service (RaaS) family, initially known as Vega or VegaLocker and first discovered earlier this year, has spawned a new member dubbed Zeppelin, security provider Cylance’s researchers said.
There’s evidence, Cylance said, that at least some of its attacks have been sprung through managed service providers (MSPs). The attacks launched so far are somewhat similar to the Sodinokibi ransomware threat actor, which is known to target MSPs. Zeppelin is based on the same code and shares most of its features with its predecessors and its origins were initially thought to be Russian. The first samples of Zeppelin, not seen before November 6, 2019, were discovered targeting a handful of tech and healthcare companies in Europe and the U.S. Several new versions of Vega have been spotted in the wild this year with Zeppelin the most recent.
Vega samples were first discovered early this year as part of a malvertising operation on a Russian online advertising network. The campaign was designed as a broad reach effort, aimed at Russian speaking users, particularly in the accounting vertical. Several new versions of Vega have appeared this year, each bearing a different name, such as Jamper, Storm and Buran, with some offered as a service on underground forums.
In contrast to Vega, however, Zeppelin is designed not to run on machines that are based in Russia and some other ex-USSR countries. What’s important about the shift away from targeting Russian-speaking countries along with the type of victim targeted is it suggests Zeppelin is being used by a different group of bad actors, perhaps bought as a service and reconfigured, the Cylance researchers said.
One Zeppelin has encrypted all of the victim’s files, it leaves a ransom demand in a text file. The filename and contents are configurable by the attacker. So far, the Cylance researchers have found a number of different ransom notes, some generic and some tailored. The common theme is all instruct the victim on how to contact the attacker and identify themselves with a personal ID number. Interestingly, one of the ransom notes uncovered provides an email address associated with a .onion domain that is only accessible via Tor.
“Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve,” Cylance wrote in a blog post. “The ongoing refinement of ransomware attacks serves as a stark reminder that effective cyber security should be proactive, predictive, adaptive, and semi-autonomous.”