SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeppelin_ransomware (Back to overview)

Zeppelin Ransomware


Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.

References
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Ransomware Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos Ransomware RansomEXX REvil Ryuk WastedLocker Zeppelin Ransomware
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware
2020-07FlashpointFlashpoint
@techreport{flashpoint:202007:zeppelin:8c54ff6, author = {Flashpoint}, title = {{Zeppelin Ransomware Analysis}}, date = {2020-07}, institution = {Flashpoint}, url = {https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf}, language = {English}, urldate = {2020-08-14} } Zeppelin Ransomware Analysis
Zeppelin Ransomware
2020-06-30G DataG Data
@online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } Ransomware on the Rise: Buran’s transformation into Zeppelin
Zeppelin Ransomware
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware
2019-12-11Threat VectorCylance Threat Research Team
@online{team:20191211:zeppelin:dea0202, author = {Cylance Threat Research Team}, title = {{Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe}}, date = {2019-12-11}, organization = {Threat Vector}, url = {https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html}, language = {English}, urldate = {2019-12-15} } Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe
Zeppelin Ransomware
Yara Rules
[TLP:WHITE] win_zeppelin_ransomware_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_zeppelin_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin_ransomware"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3c02 740b 8d45e8 e8???????? }
            // n = 4, score = 400
            //   3c02                 | cmp                 al, 2
            //   740b                 | je                  0xd
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   e8????????           |                     

        $sequence_1 = { 8d55cc b8???????? e8???????? ff75cc 8d55c8 8b4314 e8???????? }
            // n = 7, score = 400
            //   8d55cc               | lea                 edx, [ebp - 0x34]
            //   b8????????           |                     
            //   e8????????           |                     
            //   ff75cc               | push                dword ptr [ebp - 0x34]
            //   8d55c8               | lea                 edx, [ebp - 0x38]
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   e8????????           |                     

        $sequence_2 = { e8???????? 8d45e0 8b55fc 0fb712 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   0fb712               | movzx               edx, word ptr [edx]

        $sequence_3 = { e8???????? 8b55b8 b801000080 59 e8???????? 84c0 7444 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b55b8               | mov                 edx, dword ptr [ebp - 0x48]
            //   b801000080           | mov                 eax, 0x80000001
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7444                 | je                  0x46

        $sequence_4 = { e8???????? 6800080000 33c9 b201 a1???????? e8???????? 8bf8 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   6800080000           | push                0x800
            //   33c9                 | xor                 ecx, ecx
            //   b201                 | mov                 dl, 1
            //   a1????????           |                     
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_5 = { 648910 68???????? 8d45c8 e8???????? 8d45d0 8b15???????? }
            // n = 6, score = 400
            //   648910               | mov                 dword ptr fs:[eax], edx
            //   68????????           |                     
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   e8????????           |                     
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   8b15????????         |                     

        $sequence_6 = { 8b45f4 803830 750b 8b45f4 e8???????? }
            // n = 5, score = 400
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   803830               | cmp                 byte ptr [eax], 0x30
            //   750b                 | jne                 0xd
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   e8????????           |                     

        $sequence_7 = { 53 0fb644240c 50 57 ff15???????? }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { e8???????? 4e 85f6 75cb 8b45ec e8???????? 6a00 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   85f6                 | test                esi, esi
            //   75cb                 | jne                 0xffffffcd
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_9 = { 50 8b442408 50 53 0fb644240c }
            // n = 5, score = 400
            //   50                   | push                eax
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   0fb644240c           | movzx               eax, byte ptr [esp + 0xc]

    condition:
        7 of them and filesize < 2637824
}
Download all Yara Rules