Zeppelin ransomware source code sold for $500 on hacking forum
A threat actor announced on a cybercrime forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for just $500.
The post was spotted by threat intelligence company KELA and while the legitimacy of the offer has not been validated, the screenshots from the seller indicate that the package is real.
The seller of the Zeppelin source code and builder uses the handle 'RET' and clarified that they did not author the malware but simply managed to crack a builder version for it. RET added that they had acquired the package without a license.
"Where I got the builder without a license is my business. [...] I just cracked the builder," the seller wrote in a reply to other members of the hacker forum.
The cybercriminal noted that they intended to sell the product to a single buyer and would freeze the sale until completing the transaction.
In November 2022, following the discontinuation of the Zeppelin RaaS operation, law enforcement and security researchers disclosed they had found exploitable flaws in Zeppelin's encryption scheme, allowing them to build a decrypter and help victims since 2020.
A user on the Zeppelin forum thread asks explicitly whether the new version has fixed the flaws in the cryptography implementation, to which the seller replies by saying that it's the second version of the malware that should no longer include the vulnerabilities.
Zeppelin ransomware background
Zeppelin is a derivative of the Delphi-based Vega/VegaLocker malware family that was active between 2019 and 2022. It was used in double-extortion attacks and its operators sometimes asked for ransoms as big as $1 million.
Builds of the original Zeppelin ransomware were sold for up to $2,300 in 2021, after its author had announced a major update for the software.
The RaaS offered a relatively advantageous deal to affiliates, allowing them to keep 70% of the ransom payments, with 30% going to the developer.
Reference: https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-source-code-sold-for-500-on-hacking-forum/
AH
Comments
Post a Comment