Sale of Zeppelin Ransomware Source Code at a Bargain

Recent activity in the cybercrime sphere highlights an alarming development as a threat actor, under the pseudonym ‘RET,’ boasted the sale of Zeppelin ransomware’s source code and a cracked builder version on a hacking forum for a mere $500. While the authenticity of the offer remains unverified, observations from threat intelligence company KELA suggest credibility through screenshots shared by the seller.

The potential repercussions of this sale are concerning, given that the buyer gains access to the Zeppelin ransomware, enabling the establishment of a new ransomware-as-a-service (RaaS) endeavor or the development of a fresh iteration within the Zeppelin family. ‘RET’ clarified their position, stating they did not create the malware but acquired and cracked a builder version without a license.

Notably, ‘RET’ expressed intent to vend the product to a single purchaser, temporarily halting the sale until the transaction concludes. Discussions on the hacker forum thread also revealed inquiries about whether the newly sold version rectifies cryptographic vulnerabilities identified in previous iterations. The seller purportedly claims this latest iteration, the second version, addresses those flaws.

Zeppelin, an offshoot of the Delphi-based Vega/VegaLocker malware lineage operational from 2019 to 2022, gained infamy for its employment in double-extortion schemes, occasionally demanding exorbitant ransoms, even reaching up to $1 million. Its initial iterations were retailed for as much as $2,300 in 2021, following a major software update announced by the original author.

The ransomware’s business model allowed affiliates to retain 70% of the ransom proceeds, with the remaining 30% channeled to the developer, fostering an attractive proposition within the RaaS landscape. However, the FBI raised concerns in mid-2022 regarding a novel strategy utilized by Zeppelin ransomware operators, involving multiple encryption rounds, amplifying the threat’s complexity.

Notably, in November 2022, following the discontinuation of Zeppelin’s RaaS operations, law enforcement and security researchers discovered exploitable flaws in the ransomware’s encryption protocol, leading to the creation of a decrypter tool to aid victims since 2020.

The emergence of this Zeppelin source code sale underscores the evolving landscape of cybercrime, potentially amplifying the prevalence of ransomware attacks, necessitating heightened vigilance and proactive measures to mitigate their impact on cybersecurity.

To prevent the proliferation of Zeppelin ransomware and its variants, robust cybersecurity practices are crucial. Implementing regular software updates, employing strong antivirus software, conducting employee cybersecurity training, and employing strict access controls can mitigate the risk of ransomware infiltration. Additionally, maintaining data backups and implementing a robust incident response plan can help mitigate the impact of potential attacks.