Cybercriminals now have a new weapon – a new form of ransomware, Zeppelin. This ransomware is targeting companies from the U.S., Europe, and Canada. It is a new variant of VegaLocker/Buran ransomware. Surprisingly, those living in Russia or any other ex-USSR regions, including Ukraine, Belorussia, and Kazakhstan, are not being targeted. The attack withdraws its operations if the machine is located in any of these countries. Previously, the attacks from the Vega family primarily concentrated on Russian speaking users. After the variants of this family were sold as Ransomware-as-a-Service (RaaS) on Russian forums in May 2019, Zeppelin may have landed in the hands of some new threat actors. On analysis, it was discovered that this particular variant was first compiled in November 2019 and within a month, it started targeting companies from the IT and healthcare industry.
About Zeppelin Ransomware
Zeppelin is a highly-configurable ransomware that belongs to Vega or VegaLocker family. It is offered as Ransomware-as-a-Service, which makes it customizable, depending upon the requirements of the attacker. Its key features include –
|1||IP Logger||Stores the IP address locations of the victims.|
|2||Delete Backups||Stops a targeted service, deletes the backup of the file, disables its recovery, and more.|
|3||Auto-unlock||During encryption, unlock all the files which appear to be locked.|
|4||User Account Control (UAC) prompt||The ransomware will require the access token to prompt for consent.|
How does Zeppelin work?
The experts believe that the ransomware is using malvertising and waterhole attacks to get to its victims. It is also spreading through supply chain attacks, using the Managed Security Service Providers (MSSPs). The malware can be delivered in .exe, .dll, .ps1 script payloads, or wrapped in a PowerShell loader, but it spreads as a .zeppelin file. Once it gets into the system, the ransomware encrypts the targeted files using a private key. This encryption helps the attacker to identify their targets if other attacks are also targeting the machine. The threat actors can also monitor the IP addresses to recognize their victims.
After encrypting the files, the attacker contacts the victim through a file containing a ransom note. Though these notes differ from one victim to another, the ransom amount is generally demanded in bitcoins. This implies that different threat actors are using Zeppelin. They tailor these attacks as per their needs, and one of them is running a malicious campaign against tech and healthcare firms. This small-scale targeting could also be a test run for conducting a bigger and destructive campaign.
The attack is supposed to be generated from Russia, as it is not targeting the major ex-USSR nations. On initial execution, the attack verifies the country code to ensure where the victims are located. This attack has a close resemblance to another targeted campaign, Sodinokibi.
As Zeppelin is still a newly found variant of the Vega family, there are no free tools available to decrypt the data locked by this variant. However, organizations with dedicated security checks and balances can help prevent the attack from occurring.
How to steer-clear Zeppelin ransomware?
The best solution for an organization to stay protected from Zeppelin is to adopt a detailed security strategy.
- Keep all operating systems updated.
- Maintain regular back-ups.
- Store back-ups on devices that are not connected to a private or public network.
- Organize awareness training for the staff.
- Introduce personnel to the basic security guidelines.
- Track and monitor the network traffic carefully.
Zeppelin ransomware is yet to reach the level of Ryuk or Maze ransomware. So far, it targets small organizations, but if the Zeppelin attack goes out of proportion, its distribution scale can conveniently match Bitpaymer. It is one of the attacks that the cybersecurity world should carefully monitor. The possibility suggests that Zeppelin can evolve in its attack method and bring in new variants. To deal with such serious challenges, organizations need skilled professionals, someone who can set precautionary measures as well as strict practices to counter Zeppelin attacks.
EC-Council Certified Security Analyst (ECSA) is one such highly-acclaimed training program that helps professionals identify the weak spots in security infrastructure and develop strategies to fortify it. The program is perfect for those who want to gain holistic knowledge as well as critical penetration testing skills. Join the program today, and secure your organization against the rising terror of Zeppelin!