Federal agencies warn on tactics, techniques, and procedures used by Zeppelin ransomware actors
First spotted in 2019, Zeppelin ransomware has been used to attract a wide range of businesses and critical infrastructure organizations. The main targets include defense contractors, colleges and universities, manufacturers, tech companies, and healthcare organizations.
Zeppelin attacks declined for several months but heightened in late 2020. Currently, we witness the increase in Zeppelin attacks due to sophisticated codes used in the ransomware. The attackers use new downloader parts, so the ransomware is poorly detectable by legacy anti-virus applications. At the time of the first attack, almost 30% of antivirus software couldn’t catch this ransomware threat.
Zeppelin is a form of Ransome-as-a-Service (RaaS), meaning that the ransomware authors provide the software to the “affiliates”, or simply customers, who then use it to hold the captured data hostage. For more information about how this scheme works, read our previous article The State of Ransomware in 2022. Thus, Zeppelin is a simple piece of code (Vega malicious code, to be precise) spread by affiliates. The ransomware developers offer the code to the affiliates in exchange for a revenue share and are designed to lure users into enabling Visual Basic Application (VBA) macros that trigger the infection process. Zeppelin attacks often start as phishing with Microsoft Word attachments labeled as medical invoices. If followed, it allows the hidden malicious macros to infect the computer.
The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks and pinpoint data of interest, including backups and cloud storage services. Finally, they exfiltrate sensitive data. Ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.
The proliferation of Zeppelin provoked heightened attention from governmental bodies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin RaaS operations. This alert is part of an ongoing #StopRansomware effort to publish advisories regarding various ransomware variants and threat actors.
The alert provides a description of the main Zeppelin’s characteristics and states that attackers have used a variety of vectors to gain initial access to victims’ networks. The threat actors exploit Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks – that are the most commonly used – use a combination of malicious links and attachments containing malicious macros.
FBI has also highlighted the specificity of the Zeppelin ransomware. Specialists observed several attacks where data was encrypted several times using different encryption keys. Such an operation scheme adds to the complexity of recovery from an attack. Therefore, the joint CIA and FBI alert is timely and reasonable.
CISA and the FBI have shared Indicators of Compromise (IoCs) and rules in their alert to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, and some of these mitigation points we are sharing below.
If a ransomware attack happened, victims should share information with the FBI, regardless of whether the ransom is paid or not. Specifically, the FBI can request boundary logs showing any contacts with foreign IP addresses, a sample ransom note, contacts with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. These data would not only help to track the frequency and intensity of Zeppelin attacks but also help identify the attackers behind the Zeppelin ransomware gang.
The CIA and FBI do not encourage paying Zeppelin ransom demands since they’ll have no guarantee that paying the ransom will prevent data leaks or future attacks. Instead, getting the ransom money will likely inspire the attackers to target more victims and motivate other cybercrime groups to join them in ransomware attacks.
We remind you that the duty to report ransomware cases is already incorporated in some of the state and industry-specific data protection regulations. For instance, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as of March 2022, contains the provision for obligatory reporting of ransomware attacks. Read more about these provisions in our article CIRCIA: Cyber Incident Reporting For Critical Infrastructure.
Ransomware attack methods are continually evolving. Take steps now to ensure you are ready to address the ransomware threats, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!