January 5, 2024 at 04:53PM
The source code and builder for the Zeppelin ransomware strain, previously considered defunct, were sold for $500 on a Russian cybercrime forum, prompting concerns about its potential revival. The buyer’s intent to reuse the code in a similar manner to previous cases is uncertain. The sale’s motive remains unclear, as the threat actor may not have perceived the code as sophisticated enough for a higher price.
Key takeaways from the meeting notes:
1. The source code and a cracked builder for the Zeppelin ransomware strain were sold for $500, potentially signaling the revival of a ransomware-as-a-service (RaaS) featuring Zeppelin.
2. The sale took place on the RAMP crime forum, with the threat actor using the handle “RET” to offer the malware.
3. Researchers at KELA noted that Zeppelin has been used in attacks on US targets, especially in critical infrastructure sectors.
4. The Zeppelin code that was on sale addressed multiple weaknesses in the original version’s encryption routines, leading to decreased Zeppelin-related RaaS activity.
5. It is unclear how RET obtained the code and builder for Zeppelin, and the legitimacy of the source code offered for sale remains uncertain.
6. The potential buyer of the Zeppelin source code may use it for malicious purposes, as seen in previous instances of malware code acquisition.
7. The reasons behind the low price of $500 for the Zeppelin source code and builder remain unclear.
Please let me know if you need further information or have any other questions.