Fire Sale: Zeppelin Ransomware Source Code Sells for $500 on Dark Web
The buyer could use the code to restart the up to now all-but-defunct Zeppelin ransomware-as-a-service operation.
January 5, 2024
A threat actor has sold for just $500 the source code and a cracked builder for Zeppelin, a Russian ransomware strain used in numerous attacks on US businesses and organizations in critical infrastructure sectors in the past.
The sale could signal the revival of a ransomware-as-a-service (RaaS) featuring Zeppelin, at a time when many had written off the malware as largely non-operational and defunct.
Fire Sale on RAMP Crime Forum
Researchers at Israeli cybersecurity firm KELA in late December spotted a threat actor using the handle "RET" offering the source code and builder for Zeppelin2 for sale on RAMP, a Russian cybercrime forum that, among other things, once hosted Babuk ransomware's leak site. A couple of days later, on Dec. 31, the threat actor claimed to have sold the malware to a RAMP forum member.
Victoria Kivilevich, director of threat research at KELA, says it is unclear how, or from where, the threat actor might have obtained the code and builder for Zeppelin. "The seller has specified that they 'came across' the builder and cracked it to exfiltrate source code written in Delphi," Kivilevich says. RET has made clear that they are not the author of the malware, she adds.
The code that was on sale appears to have been for a version of Zeppelin that corrected multiple weaknesses in the original version's encryption routines. Those weaknesses had allowed researchers from cybersecurity firm Unit221B to crack Zeppelin's encryption keys and, for nearly two years, quietly help victim organizations decrypt locked data. Zeppelin-related RaaS activity declined after news of Unit22B's secret decryption tool became public in November 2022.
Kivilevich says the only information on the code that RET offered for sale was a screenshot of the source code. Based on that information alone, it is hard for KELA to assess if the code is genuine or not, she says. However, the threat actor RET has been active on at least two other cybercrime forums using different handles and appears to have established some sort of credibility on one of them.
"On one of them, he has a good reputation, and three confirmed successful deals through the forum middleman service, which adds some credibility to the actor," Kivilevich says.
"KELA has also seen a neutral review from a buyer of one of his products, which seems to be an antivirus bypass solution. The review said it is able to neutralize an antivirus similar to Windows Defender, but it won't work on 'serious' antivirus," she adds.
A Once-Potent Threat Crashes & Burns
Zeppelin is ransomware that threat actors have used in multiple attacks on US targets going back to at least 2019. The malware is a derivative of VegaLocker, a ransomware written in the Delphi programming language. In August 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released indicators of compromise and details on the tactics, techniques, and procedures (TTPs) that Zeppelin actors were using to distribute the malware and infect systems.
At the time, CISA described the malware as being used in several attacks on US targets including defense contractors, manufacturers, educational institutions, technology companies, and especially organizations in the medical and healthcare industries. Initial ransom demands in attacks involving Zeppelin ranged from a few thousand dollars to over one million dollars in some instances.
Kivilevich says it's likely that the purchaser of the Zeppelin source code will do what others have when they have acquired malware code.
"In the past, we've seen different actors reusing the source code of other strains in their operations, so it is possible that the buyer will use the code in the same way," she says. "For example, the leaked LockBit 3.0 builder was adopted by Bl00dy, LockBit themselves were using leaked Conti source code and code they purchased from BlackMatter, and one of the recent examples is Hunters International who claimed to have purchased the Hive source code."
Kivilevich says it's not very clear why the threat actor RET might have sold Zeppelin's source code and builder for just $500. "Hard to tell," she says. "Possibly he didn't think it's sophisticated enough for a higher price — considering he managed to get the source code after cracking the builder. But we don't want to speculate here."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024