The Zeppelin has mostly been used against healthcare institutions during the last three years. Defense contractors, educational institutions, businesses engaged in manufacturing, and technological firms are also victims. Actors in Zeppelin have been known to ask for anywhere from a few thousand dollars to more than a million dollars as their first ransom.
Some of Zeppelin’s tactics, methods, and procedures (TTPs) include using phishing emails to trick people into giving up their passwords and exploiting RDP connections and SonicWall firewall flaws to get initial access.
The threat actors were seen spending up to two weeks on the target network before delivering the ransomware, mapping, and cataloging devices and assets, including cloud storage and network backups. They also steal private information and use it as a bargaining chip to force victims to pay a ransom.
Zeppelin also seems to have a new multi-encryption attack strategy that involves running the malware many times on a victim’s network and giving each attack a different ID and file extension.
Zeppelin is commonly installed using a PowerShell loader and a.dll or.exe file. It adds a randomly generated nine-digit hexadecimal extension to every encrypted file. A ransom letter is left on the hacked computers, often on the desktop. The attacker creates the key pair (K,P)—public and private keys—and then delivers the virus using the asymmetric public key (K).
The CIA claims that threat actors spend one to two weeks mapping or enumerating a network after successfully breaking in to find data enclaves, such as cloud storage and network backup. They then use a PowerShell loader or a.dll or.exe file to distribute the Zeppelin ransomware. Most ransomware algorithms in use today use a global master key to encrypt the other keys that do the actual encryption.
In its most recent attacks, Zeppelin seems to be using the standard ransomware method of “double extortion,” which involves stealing sensitive files from a target before encrypting them and then making them public if the target doesn’t pay.
1) After being run within the victim’s system, the virus creates a random symmetric key (R) and uses it to encrypt the system’s contents.
2) It then encrypts the symmetric key using the asymmetric public key (K) given by the virus (R). It’s known as hybrid encryption. (The file’s symmetric key is now encrypted with a public key, and the attacker’s private key is the only thing that can unlock it.)
3) After encryption is complete, the victim receives a message with the asymmetric ciphertext (Ck) and instructions on how to pay to get the data decrypted. When the victim sends money to the attacker, they also send the encrypted symmetric-cipher key, which is called (Ck) asymmetric ciphertext.
Attacker: It uses the victim’s private key (P) to decrypt the files and obtains the symmetric key that was used to encrypt them. The symmetric key that may be used to decrypt the files is now sent by the attacker to the victim.
Organizations are told to use network segmentation, enforce a strong password policy, turn off unused ports and services, audit user accounts and domain controllers, set up a least-privilege access policy, keep all software and operating systems up to date, keep offline backups of data, and set up a recovery plan to lower the risk of ransomware compromise.
All courses at Cybercert are eligible for discounts. To receive your 25% discount on all October Cyber Security classes, call +1 416-415-4545
Your wireless network is protected by wireless encryption using an authentication process. Each time a person or device wants to connect, a password or network key is required. Unauthorized users may access your wireless network and gain personal information, or they may use your internet connection for nefarious or unlawful purposes if it is not […]Read More
Cryptographic algorithms A mathematical process called a cryptographic algorithm is used to alter data to secure it. Cypher algorithms An incoherent piece of data (ciphertext) is created by converting understandable information (plaintext) into an unintelligible amount of data (ciphertext), which may then be converted back into plaintext. Two categories of cypher algorithms exist: Symmetric An […]Read More
You are susceptible to ever-evolving cyber threats, including computer viruses and other forms of malware, whether you are using a computer running Windows, Apple, or Linux or whether it is a desktop, laptop, smartphone, or tablet. The first thing you need to do to protect yourself and your data is to obtain knowledge of the […]Read More