Warning over Zeppelin ransomware targeting healthcare and tech firms across Europe and US

Analysis of Zeppelin's code suggests that it was first compiled last month

Researchers at cyber security firm BlackBerry Cylance have discovered a new form of ransomware called Zeppelin, which is particularly targeting technology and healthcare firms across Europe, US and Canada.

Zeppelin appears to be the newest member of Delphi-based Ransomware-as-a-Service family, dubbed Vega or VegaLocker, although it has been improved to such an extent that researchers have classified it as a new type of malware.

Analysis of Zeppelin's code suggests that it was first compiled last month. It is highly configurable, according to researchers, and can be deployed in a variety of ways, for example, as a .dll or.exe file or packaged in a PowerShell loader.

Zeppelin starts its installation by first creating a temp folder named .zeppelin, and then spreading itself around the target machine.

After compromising a machine, it encrypts all files on that system, using a private key. A private key helps attackers to differentiate the victim from the targets of other attacks. Attackers also monitor the IP address of the machine to ensure that they are targeting the right victim.

After completion of the file encryption job, the attackers demand a ransom payment - to be paid in bitcoin - from the victim.

Zeppelin comes with a variety of features, including a task killer, IP logger, user account control prompt, auto-unlock, and the ability to delete backups. A 'melt' function in it code allows injecting a self-deletion thread into Windows Notepad.

While Zeppelin is largely based on the VegaLocker malware family, the current campaign differs immensely than earlier malware versions.

So far, it has been observed targeting only a select number of healthcare and tech firms in Europe and US.

It is designed to stop operation on victim machines located in Russia, Ukraine, Kazakhstan or any other ex-USSR country. To confirm the location, it checks the country code of the target machine by using external IP address.

According to the researchers, the victim selection, different deployment techniques and the shift in targeting European countries suggests that the malware may have ended up in the hands of multiple threat groups.

"Targeting specific organisations rather than every reachable user is just one example of how ransomware attacks continue to evolve," the researchers said.

"The ongoing refinement of ransomware attacks serves as a stark reminder that effective cyber security should be proactive, predictive, adaptive, and semi-autonomous," they warned.