Fire Sale: Zeppelin Ransomware Source Code Sells for $500 on Dark Web

The buyer could use the code to restart the up to now all-but-defunct Zeppelin ransomware-as-a-service operation.

A threat actor has sold for just $500 the source code and a cracked builder for Zeppelin, a Russian ransomware strain used in numerous attacks on US businesses and organizations in critical infrastructure sectors in the past.
The sale could signal the revival of a ransomware-as-a-service (RaaS) featuring Zeppelin, at a time when many had written off the malware as largely non-operational and defunct.
Researchers at Israeli cybersecurity firm KELA in late December spotted a threat actor using the handle RET offering the source code and builder for Zeppelin2 for sale on RAMP, a Russian cybercrime forum that, among other things, once hosted Babuk ransomwares leak site. A couple of days later, on Dec. 31, the threat actor claimed to have sold the malware to a RAMP forum member.
Victoria Kivilevich,

director of threat research at KELA, says it is unclear how, or from where, the threat actor might have obtained the code and builder for Zeppelin. The seller has specified that they came across the builder and cracked it to exfiltrate source code written in Delphi, Kivilevich says. RET has made clear that they are not the author of the malware, she adds.
The code that was on sale appears to have been for a version of Zeppelin that corrected multiple weaknesses in the original versions encryption routines. Those weaknesses had allowed researchers from cybersecurity firm Unit221B to crack Zeppelins encryption keys and, for nearly two years, quietly help victim organizations decrypt locked data. Zeppelin-related RaaS activity declined after news of Unit22Bs
secret decryption tool
became public in November 2022.
Kivilevich says the only information on the code that RET offered for sale was a screenshot of the source code. Based on that information alone, it is hard for KELA to assess if the code is genuine or not, she says. However, the threat actor RET has been active on at least two other cybercrime forums using different handles and appears to have established some sort of credibility on one of them.
On one of them, he has a good reputation, and three confirmed successful deals through the forum middleman service, which adds some credibility to the actor, Kivilevich says.
KELA has also seen a neutral review from a buyer of one of his products, which seems to be an antivirus bypass solution. The review said it is able to neutralize an antivirus similar to Windows Defender, but it wont work on serious antivirus, she adds.
Zeppelin is ransomware that threat actors have used in multiple attacks on US targets going back to at least 2019. The malware is a derivative of VegaLocker, a ransomware written in the Delphi programming language. In August 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released indicators of compromise and details on the tactics, techniques, and procedures (TTPs) that Zeppelin actors were using to distribute the malware and infect systems.
At the time, CISA described the malware as being used in several attacks on US targets including defense contractors, manufacturers, educational institutions, technology companies, and especially organizations in the medical and healthcare industries. Initial ransom demands in attacks involving Zeppelin ranged from a few thousand dollars to over one million dollars in some instances.
Kivilevich says its likely that the purchaser of the Zeppelin source code will do what others have when they have acquired malware code.
In the past, weve seen different actors reusing the source code of other strains in their operations, so it is possible that the buyer will use the code in the same way, she says. For example, the leaked
LockBit 3.0
builder was adopted by Bl00dy, LockBit themselves were using
leaked Conti source code
and code they purchased from BlackMatter, and one of the recent examples is Hunters International who claimed to have purchased the Hive source code.
Kivilevich says its not very clear why the threat actor RET might have sold Zeppelins source code and builder for just $500. Hard to tell, she says. Possibly he didnt think its sophisticated enough for a higher price — considering he managed to get the source code after cracking the builder. But we dont want to speculate here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fire Sale: Zeppelin Ransomware Source Code Sells for $500 on Dark Web