Zeppelin, a new variant of Vega ransomware family, has lately been identified aiming at technology and healthcare organizations across Europe, the US, and Canada.
This family first began as VegaLocker and then was retitled to Buran Ransomware, where it was encouraged as Ransomware-as-a-Service (RaaS) in May 2019 on Russian malware and hacker forums.
Associates who joined the RaaS would earn 75% of the ransom payment, while the Buran operators would earn 25%.
Since then, new variants have been released called VegaLocker, Jamper, and since last month, we now have Zeppelin.
In a new report, investigators have exposed the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies.
It is not known precisely how the Zeppelin ransomware is being disseminated, but it is likely through Remote Desktop servers that are openly uncovered to the Internet.
Zeppelin will check if the user is in any CIS countries such as Russia, Ukraine, Belorussia, and Kazakhstan by either checking the configured language in Windows or default country code.
If the victim passes this check, the ransomware will start to axe various procedures including ones linked with database, backup, and mail servers.
When encoding files, the ransomware will not attach an extension and the file name will remain the same. It will, however, include a file marker called Zeppelin that may be enclosed by different signs depending on the hex editor and character format you are using.
Regrettably, at this time there has been no flaws exposed in the ransomware and there is no way to mend files for free.