Zeppelin Ransomware Source Code Sold for $500 on Hacking Forum

A cybercriminal announced on a forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for $500. KELA, a threat intelligence company, noticed this post. While they haven’t confirmed if the offer is genuine, screenshots from the seller suggest it’s real.

Whoever buys this package could use it to create new ransomware or develop a new locker based on Zeppelin.

Zeppelin Ransomware Source Code Sold for $500 on Hacking Forum

The seller, using the handle ‘RET,’ clarified that they didn’t create the malware but cracked the builder version. They got the package without a license.

“I cracked the builder, where I got it from is my business,” RET replied to others on the forum.

This cybercriminal plans to sell the product to one buyer and has paused the sale until the transaction is complete.

In November 2022, after Zeppelin’s RaaS ended, law enforcement and researchers found flaws in its encryption. They created a tool to help victims in 2020.

On the Zeppelin forum, a user asked if the new version fixed these issues. The seller claims this second version shouldn’t have those vulnerabilities anymore.

Zeppelin comes from the Vega/VegaLocker malware family, active from 2019 to 2022. It was known for double-extortion attacks, demanding high ransoms, sometimes up to $1 million.

The original Zeppelin ransomware sold for up to $2,300 in 2021, with the author announcing a major update.

Their RaaS offered a deal where affiliates kept 70% of the ransom, and the developer took 30%. In 2022, the FBI warned about Zeppelin ransomware using multiple rounds of encryption, employing a new tactic.

See Also: Sony Faces Ransomware Attack: Hackers Claim to Have Breached All Networks