Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning.
Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday.
Zeppelin also appears to have a new multi-encryption tactics, executing the malware more than once within a victim’s network and creating different IDs and file extensions for multiple instances attack, according to the CISA.
“This results in the victim needing several unique decryption keys,” according to the advisory.
The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said.
Targets and Tactics
Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance.
Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States.
The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense contractors, educational institutions and manufacturers, the agency said.
Once they successfully infiltrate a network, threat actors spend one to two weeks mapping or enumerating it to identify data enclaves, including cloud storage and network backup, according to the agency. They then deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.
Zeppelin also appears to be using the common ransomware tactic of double extortion in its latest campaigns, exfiltrating sensitive data files from a target prior to encryption for potential publication online later if the victim refuses to pay, according to the CISA.
Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the CISA.
Threat actors also leave a note file that includes a ransom note on compromised systems, typically on a user desktop system, the agency said. Zeppelin actors typically request payments in Bitcoin in the range of several thousand dollars to more than $1 million.
The latest campaigns also show threat actors using a new tactic associated with Zeppelin to execute the malware multiple times within a victim’s network, which means a victim would need not one but multiple decryption keys to unlock files, according to the CISA.
However, this may or may not be a unique aspect of a ransomware attack, noted one security professional. Roger Grimes, data-driven defense evangelist for security firm KnowBe4, said it’s not uncommon for threat actors to encrypt different files separately but use one master key to unlock systems.
“Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption,” he told Threatpost in an email.
When the victim asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is paid, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes said.