Sponsored By

Fire Sale: Zeppelin Ransomware Source Code Sells for $500 on Dark Web

The buyer could use the code to restart the up to now all-but-defunct Zeppelin ransomware-as-a-service operation.

4 Min Read
Hindenburg zeppelin airship blowing up in 1937
Source: World History Archive via Alamy Stock Photo

A threat actor has sold for just $500 the source code and a cracked builder for Zeppelin, a Russian ransomware strain used in numerous attacks on US businesses and organizations in critical infrastructure sectors in the past.

The sale could signal the revival of a ransomware-as-a-service (RaaS) featuring Zeppelin, at a time when many had written off the malware as largely non-operational and defunct.

Fire Sale on RAMP Crime Forum

Researchers at Israeli cybersecurity firm KELA in late December spotted a threat actor using the handle "RET" offering the source code and builder for Zeppelin2 for sale on RAMP, a Russian cybercrime forum that, among other things, once hosted Babuk ransomware's leak site. A couple of days later, on Dec. 31, the threat actor claimed to have sold the malware to a RAMP forum member.

Victoria Kivilevich, director of threat research at KELA, says it is unclear how, or from where, the threat actor might have obtained the code and builder for Zeppelin. "The seller has specified that they 'came across' the builder and cracked it to exfiltrate source code written in Delphi," Kivilevich says. RET has made clear that they are not the author of the malware, she adds.

The code that was on sale appears to have been for a version of Zeppelin that corrected multiple weaknesses in the original version's encryption routines. Those weaknesses had allowed researchers from cybersecurity firm Unit221B to crack Zeppelin's encryption keys and, for nearly two years, quietly help victim organizations decrypt locked data. Zeppelin-related RaaS activity declined after news of Unit22B's secret decryption tool became public in November 2022.

Kivilevich says the only information on the code that RET offered for sale was a screenshot of the source code. Based on that information alone, it is hard for KELA to assess if the code is genuine or not, she says. However, the threat actor RET has been active on at least two other cybercrime forums using different handles and appears to have established some sort of credibility on one of them.

"On one of them, he has a good reputation, and three confirmed successful deals through the forum middleman service, which adds some credibility to the actor," Kivilevich says.

"KELA has also seen a neutral review from a buyer of one of his products, which seems to be an antivirus bypass solution. The review said it is able to neutralize an antivirus similar to Windows Defender, but it won't work on 'serious' antivirus," she adds.

A Once-Potent Threat Crashes & Burns

Zeppelin is ransomware that threat actors have used in multiple attacks on US targets going back to at least 2019. The malware is a derivative of VegaLocker, a ransomware written in the Delphi programming language. In August 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released indicators of compromise and details on the tactics, techniques, and procedures (TTPs) that Zeppelin actors were using to distribute the malware and infect systems.

At the time, CISA described the malware as being used in several attacks on US targets including defense contractors, manufacturers, educational institutions, technology companies, and especially organizations in the medical and healthcare industries. Initial ransom demands in attacks involving Zeppelin ranged from a few thousand dollars to over one million dollars in some instances.

Kivilevich says it's likely that the purchaser of the Zeppelin source code will do what others have when they have acquired malware code.

"In the past, we've seen different actors reusing the source code of other strains in their operations, so it is possible that the buyer will use the code in the same way," she says. "For example, the leaked LockBit 3.0 builder was adopted by Bl00dy, LockBit themselves were using leaked Conti source code and code they purchased from BlackMatter, and one of the recent examples is Hunters International who claimed to have purchased the Hive source code."

Kivilevich says it's not very clear why the threat actor RET might have sold Zeppelin's source code and builder for just $500. "Hard to tell," she says. "Possibly he didn't think it's sophisticated enough for a higher price — considering he managed to get the source code after cracking the builder. But we don't want to speculate here."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights