On an underground forum, an individual is actively advertising the sale of Zeppelin2 ransomware, providing both the ransomware’s source code and a cracked version of its builder tool. Zeppelin2, renowned for its destructive capabilities, has garnered attention from cybersecurity experts and law enforcement globally. The forum post asserts that the user successfully cracked the Zeppelin2 builder tool, originally designed for data encryption, by circumventing its security measures. Screenshots of the source code are displayed, showcasing the intricate details of the build process and revealing the ransomware’s use of Delphi as its programming language.
The Zeppelin2 ransomware builder tool, highlighted by the threat actor, boasts various features, including file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware’s comprehensive file encryption, making data recovery impossible without the unique private key held by the attackers. After completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files, instructing them to contact the attackers via email and providing a method for testing the decryptor’s legitimacy by sending a non-valuable file.
Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts varying from several thousand dollars to over a million dollars. In response to the Zeppelin2 threat, the FBI and CISA have jointly issued a cybersecurity advisory. Operating since 2019 and persisting at least until June 2022, Zeppelin2 has targeted diverse sectors, including defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.
The ransomware’s modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim’s network, identifying critical data enclaves, including cloud storage and network backups. As customary with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public should the victim resist complying with their demands. Notably, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim’s network, generating different IDs or file extensions for each attack instance, requiring multiple unique decryption keys.