Cyber criminals using a new form of ransomware are going after healthcare and technology companies across Europe, the US and Canada in what researchers describe as 'carefully chosen' attacks.
Named Zeppelin, the ransomware appears to be based on another family of network-encrypting malware – VegaLocker – but has been built upon and improved to such an extent that the security analysts at BlackBerry Cylance who discovered it have classed it as a new form of ransomware.
Analysis of the code reveals that Zeppelin was first compiled in early November this year, but in the space of a month alone it has been discovered targeting networks of tech and healthcare companies across Europe and North America.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
According to researchers, the Zeppelin is spread in supply-chain attacks via Managed Security Service Providers (MSSPs), which would make the method of compromise similar to Sodinokibi ransomware. It's also believed the ransomware is spread via malvertising operations and waterhole attacks that are designed to deliver the malicious payload to the intended target.
The malware is highly configurable and can be deployed to targets as EXE, DLL files or bundled into a PowerShell loader – but no matter which way it's delivered, Zeppelin begins its installation with a temporary folder named .zeppelin, before spreading itself around the target machine.
When the ransomware has clawed its way into the network, it will encrypt files using a private key to differentiate the victim from the targets of other attacks – the attackers can even ensure they're targeting the right victim by monitoring their IP address.
Once the files are all encrypted, Zeppelin will present the victim with a ransom note in a text file. There isn't a standard ransom note, with researchers noting that the notes range from short generic messages to elaborate notes that are tailored to individual organisations that have been targeted. The ransom demands also shift depending on the victim organisation, but all ask for it to be paid in bitcoin.
All of this suggests that Zeppelin ransomware is being distributed as-a-service, with cyber criminals buying the right to use it off a dark web underground forum seller, then tailoring it to their needs – and at least one of these operators is using Zeppelin to specially craft attacks designed to target a small number of health and IT companies in what could be a test run for a larger campaign.
"There seem to be a limited number of victims, and we haven't seen the malware being used in any wide-spread distribution campaign so far, therefore it looks like the threat actors are rather careful in whom they are targeting," Josh Lemos, VP of research and intelligence at BlackBerry Cylance told ZDNet.
"One of the possibilities is that the campaign didn't yet fully take off, and the current victims are only the 'patient zero' in some kind of test run," he added.
The campaign is suspected to originate from Russia, because on initial execution, the malware will check the victim's country code to make sure it's not running on a machine in Russia, Ukraine, Belarus or Kazakhstan. If Zeppelin finds itself on a network in one of these states, it will cease operation.
This represents a shift compared with other Delphi-based forms of ransomware related to VegaLocker, which were happy to compromise Russsia-based victims.
SEE: How Panasonic is using internet honeypots to improve IoT device security
Combined with the change in deployment tactics, this suggests that the Zeppelin campaign is by different cyber criminals than those responsible for VegaLocker.
Zeppelin is still active and, as it's a new form of ransomware, there's currently no free decryption tool to protect against it, but organisations can prevent themselves from falling victim to it with some relatively simple security practices.
"The advice is the same as always: use a comprehensive security solution; maintain up-to-date operating systems; perform regular backups – and keep them on mediums that are usually disconnected from the network; educate your personnel on basic security guidelines; stay cautious and vigilant," said Lemos.