Zeppelin Ransomware Returns with New Features
Zeppelin ransomware was first found targeting healthcare in 2019, Juniper Threat Labs detected a new Zeppelin ransomware variant that employs a trojan downloader to evade antivirus applications. Blackberry Cylance researchers first observed Zeppelin in November 2019, in a wave of attacks against technology and healthcare sectors across US and Europe. The variant was the latest member of the Delphi-based ransomware-as-a-service family known as Vega or VegaLocker. Researchers think it originated in Russia.
In the current version, Visual Basic scripts are hidden in text behind various images. The malicious macros parse and extract these scripts, and write them to a file at c:wordpressabout1.vbs. A second macro then looks for the string winmgmts:Win32_Process inside the document text, and uses it to execute about1.vbs. About1.vbs downloads the Zeppelin ransomware onto the machine. The binary sleeps for 26 seconds to wait out dynamic analysis in an automated sandbox and then runs the ransomware executable.
The latest attack has affected around 64 known victims and targets according to Juniper researchers. This might show that Zeppelin is still targeting it's victims. The command-and-control server that the malware uses was registered in June leading researchers to believe that that is when the new attacks started. The Zeppelin executable also checks the computer's language settings and geolocation of the IP address to avoid infecting computers in Russia, Belarus, Kazakhstan and Ukraine.
Zeppelin infects the server, blocks all processes from operating normally, copies the backup files and then deploys the ransomware. Zeppelin enumerates files on all drives and network shares to build a list of directories. Before encrypting the files, it uploads the data to a C2 server. After encrypting the files, it looks for backup files and erases them. Unlike other ransomware, Zeppelin doesn't add a file extension or change the file name of the encrypted files. After encrypting the files, Zeppelin generates a ransom note with the additional threat of exposing the stolen data if the ransom isn't paid.
As companies adopt secure strategies by backing up data, hackers are now interested in stealing the infected data to ensure payment. In the wake of COVID-19, attacks from Sodinokibi, Maze, REvil, Netwalker, and other ransomware have substantially increased. Experts recommend securing ports and services that are exposed on the internet to limit the entry points to your network. Secure remote access tools since they can also be used as entry points. Perform regular password audits for stronger access control.