January 4, 2024 at 11:20AM
A cybercriminal offered the Zeppelin ransomware source code and builder on a forum for $500. Despite questions about its legitimacy, screenshots indicate it is genuine. The seller, ‘RET,’ claims to have cracked the builder without a license and intends to sell it to a single buyer. Security flaws in Zeppelin’s encryption scheme had been exploited by law enforcement and researchers.
From the meeting notes, here are the key takeaways:
1. A threat actor is selling the source code and a cracked version of the Zeppelin ransomware builder for $500.
2. The legitimacy of the offer has not been fully validated, but screenshots from the seller indicate that the package is real and available for purchase to a single buyer.
3. The seller uses the handle ‘RET’ and clarified that they did not author the malware but managed to crack a builder version for it without a license.
4. The Zeppelin ransomware is a derivative of the Delphi-based Vega/VegaLocker malware family and has been used in double-extortion attacks with ransom demands as big as $1 million.
5. Zeppelin RaaS operation offered affiliates a deal where they could keep 70% of ransom payments, with 30% going to the developer.
6. Law enforcement and security researchers had found exploitable flaws in Zeppelin’s encryption scheme and built a decrypter to help victims since 2020, but the seller claims the second version of the malware should no longer include vulnerabilities.
These takeaways provide a clear understanding of the situation and the potential risks associated with the availability of the Zeppelin ransomware builder and source code.