Pierluigi Paganini August 14, 2022

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of Zeppelin ransomware attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory to warn of Zeppelin ransomware attacks.

The Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin.

The ransomware was involved in attacks aimed at technology and healthcare, defense contractors, educational institutions, manufacturers, companies across Europe, the United States, and Canada. At the time of its discovery, Zeppelin was distributed through watering hole attacks in which the PowerShell payloads were hosted on the Pastebin website.

Before deploying the Zeppelin ransomware, threat actors spend a couple of weeks mapping or enumerating the victim network to determine where data of interest is stored. The ransomware can be deployed as a .dll or .exe file or contained within a PowerShell loader.

Zeppelin actors request ransom payments in Bitcoin, they range from several thousand dollars to over a million dollars.

The group uses multiple attack vectors to gain access to victim networks, including RDP exploitation, SonicWall firewall vulnerabilities exploitation, and phishing attacks.

The threat actors also implement a double extortion model, threatening to leak stolen files in case the victims refuse to pay the ransom.

Zeppelin is typically deployed as a .dll or .exe file within a PowerShell loader. To each encrypted file, it appends a randomized nine-digit hexadecimal number as an extension. A ransom note is dropped on the compromised systems, usually on the desktop.

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” reads the joint advisory.

The US agencies recommend not paying the ransom because there is no guarantee to recover the encrypted files and paying the ransomware will encourage the illegal practice of extortion.

The alert also included Indicators of Compromise (IOC) along with MITRE ATT&CK TECHNIQUES for this threat.

The FBI also encourages organizations to report any interactions with Zeppelin operators, including logs, Bitcoin wallet information, encrypted file samples, and decryptor files.

To mitigate the risks of ransomware attacks, organizations are recommended to define a recovery plan, implement multi-factor authentication, keep all operating systems, software, and firmware up to date, enforce a strong passwords policy, segment networks, disable unused ports and services, audit user accounts and domain controllers, implement a least-privilege access policy, review domain controllers, servers, workstations, and active directories, maintain offline backups of data, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file” concludes the alert.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zeppelin ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]