[BreachExchange] Zeppelin Ransomware

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jun 8 12:44:46 EDT 2021 

https://digital.nhs.uk/cyber-alerts/2021/cc-3864

Summary

Zeppelin is a ransomware-as-a-service tool which is delivered through
phishing campaigns. Zeppelin uses double extortion methods to both encrypt
files and steal data threatening to sell it on the dark web.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows Versions: all supported

Threat details

Introduction

First observed in November 2019, Zeppelin is a variant of the Buran
ransomware and is ransomware-as-a-service. Zeppelin ransomware targets
organisations globally except the Commonwealth of Independent States (CIS).
Zeppelin is delivered via phishing emails as part of a double extortion
campaign where data is stolen before being encrypted by the ransomware.

Delivery

Zeppelin is commonly delivered via phishing emails containing macro-laden
attachments in Microsoft Word documents. Zeppelin has also been delivered
using the ConnectWise Control (formally Screen connect) remote management
software on an already compromised network. On opening the malicious Word
document, the user is lured into enabling macros, which then extract a
downloader script hidden within the text content. This script downloads
Zeppelin, then sleeps for 26 seconds. This is used as an evasion technique
to avoid dynamic analysis in an automated sandbox, before executing the
ransomware.

Activities

Once delivered, Zeppelin checks the default language or the country calling
code to determine the location of the affected system, terminating if any
of the CIS countries are identified. Zeppelin will then connect to a
command and control (C2) server, which will then send an encryption
command. The malware creates an empty file in the %TEMP% directory and
appends the file with a ZEPPELIN extension. The encryption process involves
encrypting Windows operating system directories, web browser applications,
system boot files and user files. Following encryption, a text file ransom
note will then be left on the desktop of compromised systems.

Remediation advice

If a device on your network becomes infected with ransomware it will begin
encrypting files, which may also include remote files on network locations.
The only guaranteed way to recover from a ransomware infection is to
restore all affected files from their most recent backup. To limit the
impact of a ransomware infection, NHS Digital advises that:


   - Critical data is frequently saved in multiple backup locations.
   - At least one backup is kept offline at any time (separated from live
   systems).
   - Backups and incident recovery plans are tested to ensure that data can
   be restored when needed.
   - User account permissions for modifying data are regularly reviewed and
   restricted to the minimum necessary.
   - Infected systems are disconnected from the network and powered down as
   soon as practicable.
   - Any user account credentials that may have been compromised should be
   reset on a clean device
   - Where infected systems cannot be quarantined with confidence, then an
   affected organisation should disconnect from national networks to limit
   propagation.

Additionally, to prevent and detect an infection, NHS Digital advises that:

   - Secure configurations are applied to all devices.
   - Security updates are applied at the earliest opportunity.
   - Tamper protection settings in security products are enabled where
   available.
   - Obsolete platforms are segregated from the rest of the network.
   - IT usage policies are reinforced by regular training to ensure all
   users know not to open unsolicited links or attachments.
   - Multi-factor authentication (MFA) and lockout policies are used where
   practicable, especially for administrative accounts.
   - Administrative accounts are only used for necessary purposes.
   - Remote administration services use strongly encrypted protocols and
   only accept connections from authorised users or locations.
   - Systems are continuously monitored, and unusual activity is
   investigated, so that a compromise of the network can be detected as early
   as possible.

Please note that NCSC maintains guidance for securely configuring a wide
range of end user device (EUD) platforms. For further details refer to
their end user device security guidance pages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210608/0aa7f8df/attachment.html>

More information about the BreachExchange mailing list