Skip to content
The US based CISA has now seen a reappearance of the malware targeting a range of verticals & critical infrastructure organisations by exploiting RDP, firewall vulnerabilities.
Zeppelin ransomware is back, & using new compromise & encryption s in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organisations, the US Feds are warning.
Ransomware as a Service
Threat players using the ransomware as a service (RaaS) are employing remote desktop protocol (RDD) exploitation & SonicWall firewall vulnerabilities, along with previously used phishing campaigns to breach target networks, according to an advisory from the US Cybersecurity & Infrastructure Security Agency (CISA) released Thur.
Zeppelin also seems to have a new multi-encryption tactics, executing the malware more than once within a victim’s network & creating different IDs & file extensions for multiple instances attack, states the CISA.
“This results in the victim needing several unique decryption keys,” according to the advisory.
The US CISA has identified many variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency revealed.
Targets & Tactics
Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or Vega Locker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance.
Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat players 1st taking aim at tech & healthcare companies in Europe & the US.
Healthcare
The latest campaigns continue to target healthcare & medical organisations most often, according to the CISA. Tech companies also remain in the sights of Zeppelin, with threat players also using the RaaS in attacks against defence contractors, educational institutions & manufacturers, the agency stated.
Once they successfully infiltrate a network, threat players spend 1-2 weeks mapping or enumerating it to identify data ‘enclaves’, including deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.
Zeppelin also appears to be using the common ransomware tactic of double-extortion in its newest campaigns, taking sensitive data files from a target before encryption for potential publication online later if the victim refuses to pay, according to the US CISA.
Encryption
Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomised 9-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the US CISA.
Threat players also leave a note file that includes a ransom note on compromised systems, typically on a user desktop system, the agency outlined. Zeppelin players typically request payments in Bitcoin in the range of several 1,000 dollars to over $1m.
New Tactic
The newest campaigns also show threat players using a new tactic associated with Zeppelin to execute the malware multiple times within a victim’s network, which means a victim would need not 1 but multiple decryption keys to unlock files, according to the CISA.
This may, or may not, be a unique feature of a ransomware attack, noted a security professional. Roger Grimes, Data-Driven Defence Evangelist for security firm KnowBe4, outlined it is not unknown for threat players to encrypt different files separately but use 1 master key to unlock systems.
Master Key
“Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption,” he explained.
When the target asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is remitted, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes concluded.
