On a cybercrime site, a threat actor declared they were selling the Zeppelin ransomware builder source code and cracked version for just $500. Threat intelligence firm KELA discovered the post, and although the offers validity has yet to be confirmed, the seller screenshots show that the item is authentic.

Whoever purchased the package might develop a new locker based on the Zeppelin family or use the malware to launch a new ransomware-as-a-service (RaaS) enterprise. The Zeppelin builder & source code seller made it clear that they did not create the virus. Rather, they were only able to crack a builder version of it. RET stated that they did not have a license when they bought the bundle.

"My business is where I obtained the constructor without a license. I just cracked the builder." The vendor stated in response to other hackers on the site."

The cybercriminal disclosed that they planned to sell the product to a single customer and would hold off on the deal until it was finished. Law enforcement & security experts revealed in November 2022 that they had discovered exploitable weaknesses in Zeppelin encryption method.

As a result, it allowed them to create a decrypter and assist victims since 2020. This came after Zeppelin RaaS was discontinued.

When a user on the Zeppelin forum thread specifically asks if the holes in the cryptography implementation have been resolved in the new version, the seller responds that the vulnerabilities should no longer be present in the second edition of the malware.

The Background of Ransomware Background

Zeppelin ransomware is an extension of the Delhi-based Vegalocker malware family that was active between 2019 & 2022. Vegalocker was extensively used for double-extortion cyberattacks and sometimes, its operators asked for ransom amounts as much as $1 million.

The original Zeppelin ransomware builds were sold in 2021 for nearly $2,300 after its creator announced a major software update.

The RaaS comparatively offered a beneficial deal to all the affiliates, through which they could keep 70 percent of the payments, and give 30 percent to the developer.

In mid-2022, the FBI (Federal Bureau of Investigation) warned everyone about a new Zeppelin tactic involving multiple encryption rounds.