Be Aware of Zeppelin Ransomware Attacks

August 18, 2022

The Zeppelin has mostly been used against healthcare institutions during the last three years. Defense contractors, educational institutions, businesses engaged in manufacturing, and technological firms are also victims. Actors in Zeppelin have been known to ask for anywhere from a few thousand dollars to more than a million dollars as their first ransom.

Some of Zeppelin’s tactics, methods, and procedures (TTPs) include using phishing emails to trick people into giving up their passwords and exploiting RDP connections and SonicWall firewall flaws to get initial access.

The threat actors were seen spending up to two weeks on the target network before delivering the ransomware, mapping, and cataloging devices and assets, including cloud storage and network backups. They also steal private information and use it as a bargaining chip to force victims to pay a ransom.

Zeppelin also seems to have a new multi-encryption attack strategy that involves running the malware many times on a victim’s network and giving each attack a different ID and file extension.

Zeppelin is commonly installed using a PowerShell loader and a.dll or.exe file. It adds a randomly generated nine-digit hexadecimal extension to every encrypted file. A ransom letter is left on the hacked computers, often on the desktop. The attacker creates the key pair (K,P)—public and private keys—and then delivers the virus using the asymmetric public key (K).

The CIA claims that threat actors spend one to two weeks mapping or enumerating a network after successfully breaking in to find data enclaves, such as cloud storage and network backup. They then use a PowerShell loader or a.dll or.exe file to distribute the Zeppelin ransomware. Most ransomware algorithms in use today use a global master key to encrypt the other keys that do the actual encryption.

In its most recent attacks, Zeppelin seems to be using the standard ransomware method of “double extortion,” which involves stealing sensitive files from a target before encrypting them and then making them public if the target doesn’t pay.

1) After being run within the victim’s system, the virus creates a random symmetric key (R) and uses it to encrypt the system’s contents.

2) It then encrypts the symmetric key using the asymmetric public key (K) given by the virus (R). It’s known as hybrid encryption. (The file’s symmetric key is now encrypted with a public key, and the attacker’s private key is the only thing that can unlock it.)

3) After encryption is complete, the victim receives a message with the asymmetric ciphertext (Ck) and instructions on how to pay to get the data decrypted. When the victim sends money to the attacker, they also send the encrypted symmetric-cipher key, which is called (Ck) asymmetric ciphertext.

Attacker: It uses the victim’s private key (P) to decrypt the files and obtains the symmetric key that was used to encrypt them. The symmetric key that may be used to decrypt the files is now sent by the attacker to the victim.

Organizations are told to use network segmentation, enforce a strong password policy, turn off unused ports and services, audit user accounts and domain controllers, set up a least-privilege access policy, keep all software and operating systems up to date, keep offline backups of data, and set up a recovery plan to lower the risk of ransomware compromise.

All courses at Cybercert are eligible for discounts. To receive your 25% discount on all October Cyber Security classes, call +1 416-415-4545

Sam Fareed

Lead Instructor qualified in CISSP, CCIE, and MCT with 25 years of training experience in Toronto.