Russia: Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. The biggest difference between Zeppelin and its predecessors is the attack campaigns. Previous campaigns utilizing Vega were spread to Russian-speaking users, with a focus on those in accounting, through a widespread malvertising campaign. The binaries were typically signed with valid certificates and hosted on GitHub. In this most recent campaign, Zeppelin has been targeting a select handful of tech and healthcare companies in Europe and the United States. Unlike its predecessor Vega, Zeppelin binaries are designed to stop running if it detects that it is running on a machine based in Russia or any former Soviet states. Zeppelin is capable of being deployed as a .exe, a DLL, or placed in a PowerShell loader. Zeppelin was found to be hosted on watering-hole websites, except for PowerShell variants which were hosted on Pastebin. Researchers currently believe that at least some of the attacks were conducted through Managed Security Service Providers (MSSPs) but gave no further details of how they came to that conclusion.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.