Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Risk & Compliance
Threat Landscape
Vulnerabilities

Zeppelin ransomware can be executed multiple times once compromised, targets include critical infrastructure

August 12, 2022
Zeppelin ransomware can be executed multiple times once compromised, targets include critical infrastructure

U.S. security agencies released on Thursday a joint cybersecurity advisory (CSA), with details of known Zeppelin ransomware indicators of compromise (IOCs), apart from covering recently and historically observed tactics, techniques, and procedures (TTPs). Based on investigations carried out by the Federal Bureau of Investigation (FBI) as recently as Jun. 21, this year, the threat vectors are associated with ransomware variants. The agencies also call upon organizations to implement recommended mitigations, to reduce the likelihood and impact of ransomware incidents.

“Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS),” the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), wrote in the joint CSA. “From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars,” they added.

In June, Tenable said that the advent of RaaS is one of the main reasons why ransomware has advanced from a fledgling threat into a force to be reckoned with. The service model has significantly lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditize ransomware.

The CISA-FBI advisory said that the FBI has observed instances where Zeppelin hackers executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack. Thereby, resulting in the victim needing several unique decryption keys.

The Zeppelin hackers gain access to victim networks using remote desktop protocol (RDP) exploitation, breaching SonicWall firewall vulnerabilities, and phishing campaigns, the joint CSA said. “Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups,” it added.

The advisory disclosed that the Zeppelin hackers can deploy Zeppelin ransomware as a [dot]dll, [dot]exe file, or contained within a PowerShell loader. “Prior to encryption, Zeppelin actors exfiltrate sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929,” it added. 

The FBI and CISA recommend network defenders limit potential adversarial use of common system and network discovery techniques, while working towards reducing the risk of compromise by Zeppelin ransomware. The agencies recommended implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. They also sought all accounts with password logins to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.

The advisory also called for multi-factor authentication for all services to the extent possible, particularly for web mail, virtual private networks, and accounts that access critical systems. It also recommended network segmentation to prevent the spread of ransomware, by controlling traffic flows between, and access to, various sub networks and by restricting adversary lateral movement. 

The joint CSA covering the Zeppelin ransomware also suggested maintaining offline data backups, and regularly carrying out backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. It also said that organizations must ensure that all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.

Data released by industrial cybersecurity company Dragos this week revealed a drop in industrial ransomware incidents for the year’s second quarter, as ransomware groups continued to target industrial organizations and infrastructures, disrupting OT (operational technology) operations. The fall is likely to have come as a result of the closure of the Conti hacker group which led to most of the ransomware attacks in the previous two quarters. Additionally, Dragos assesses with moderate confidence that ransomware with destructive capability will continue to target OT operations, given the continuous political tension between Russia and western countries.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base