Zeppelin Ransomware have Resumed their Operations After a Temporary Pause

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

 

According to BleepingComputer, the operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed operations following a brief outage. Zeppelin’s operators, unlike other ransomware, do not steal data from victims or maintain a leak site. 
Experts from BlackBerry Cylance discovered a new version of the Vega RaaS, called Zeppelin, and it first appeared on the threat landscape in November 2019. In Europe, the United States, and Canada, the latest version was used in attacks against technology and healthcare firms. Zeppelin was discovered in November and was spread via a watering hole attack in which the PowerShell payloads were hosted on the Pastebin website. 
The Zeppelin ransomware does not infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, or Kazakhstan, unlike other Vega ransomware variants. The ransomware enumerates files on all drives and network shares and attempts to encrypt them after being executed. Experts found that the encryption algorithm used is the same as that used by other Vega variants. 
“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%),” reported BleepingComputer. 
Advanced Intel (AdvIntel), threat detection and loss avoidance firm, discovered that the Zeppelin ransomware developers revised their operation in March. They announced a “big software upgrade” as well as a n

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Zeppelin Ransomware have Resumed their Operations After a Temporary Pause