The healthcare and IT industries are under the new ransomware radar.

Recently discovered by researchers at Blackberry Cylance, a new ransomware called Zeppelin is targeting healthcare and IT companies across the US and Europe with carefully planned cyberattacks.

Unveiled as the newest ransomware from the Delphi-based Ransomware-as-a-Service (RaaS) family, also known as VegaLocker or Vega, is thought to be of Russian origin since its discovery in the early 2019.

Researchers also mention that the attacks were planned in a broader scope rather than target-oriented and had valid certificates on GitHub. Additionally, a number of newer versions of the ransomware have been randomly identified over the span of a year, and Zeppelin is projected to be the latest one in the clan.

As per researchers, the latest version is built on the same code and displays similar functions of the past methods. However, the most recent one is considerably different from the previous malware versions.

First detected on November 6, 2019, Zeppelin was observed targeting carefully chosen tech and healthcare companies in the US and Europe. Another fact that is not worth missing out on is, Zeppelin is constructed to stop working on machines based in Russia and other ex- USSR nations. The ransomware is programmed to screen the victim’s country, and it does this by obtaining the target’s external IP address to make sure it is not operating in any of the prohibited countries.

Based on the pattern, researchers speculate that the virus must have ended up in the hands of several threat actors.

Researches also described, “Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader, and the samples are hosted on water-holed websites, and in the case of PowerShell, on Pastebin.”

Researchers also speculate that a few of these attacks were triggered through MSSPs (Managed Security Services Providers), as they carry similarities to Sodinokibi, a healthcare threat actor that typically targets managed service providers.

More about Zeppelin

It does not matter which way the Zeppelin malware is delivered, as it is bound to begin the installation with a “. zeppelin” before it attacks the target machine.

However, when it is for Zeppelin, all sensitive strings in its binaries are obfuscated with a unique pseudo-random 32-byte RC4 key, appended to each encryption string.