Unveiling Zeppelin2 Ransomware: A New Threat Emerges on Dark Web​

In a recent development on an underground forum, a user is actively promoting the sale of Zeppelin2 ransomware, offering both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has caught the attention of cybersecurity experts and law enforcement agencies worldwide.

The forum post claims that the user successfully cracked the Zeppelin2 builder tool, originally designed to encrypt data, by bypassing its security measures. The post showcases screenshots of the source code and highlights the intricate details of the build process, revealing that the ransomware employs Delphi as its programming language.

The Zeppelin2 ransomware builder tool, promoted by this threat actor, boasts various features including file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor emphasizes the ransomware’s ability to encrypt files comprehensively, making data recovery impossible without a unique private key held by the attackers. Once the ransomware completes its encryption process, victims are confronted with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and provides a method for testing the legitimacy of the decryptor by sending a non-valuable file. According to reports, Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

The Cyber Express 1/2/2024