T2022_15 What you should know about Zeppelin Ransomware (17th August 2022) 

What is Zeppelin Ransomware?  

Zeppelin ransomware is a variant of the Buran ransomware, that operates as Ransomware as a Service (this involves selling or renting ransomware to buyers.) This malware is used by threat actors to target a variety of businesses and critical infrastructure organizations, including the medical and healthcare industries. Zeppelin ransomware deletes volume shadow copies and system state backups to prevent victims from recovering encrypted files. 

Technical Details   

Threat actors gain access to networks through a variety of methods, including Remote Desktop Protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns, before deploying the ransomware, threat actors map or enumerate the victim network to identify data enclaves, such as cloud storage and network backups. Zeppelin actors can distribute Zeppelin ransomware as a.dll or.exe file, or as part of a PowerShell loader. 

Just before the encryption takes place, Zeppelin actors steal sensitive corporate data files to sell or publish if the victim does not pay the ransom. When the ransomware is executed, a randomized nine-digit hexadecimal number is appended as a file extension to each encrypted file, for example, file.txt.txt. C59-E0C-929 On compromised systems, a note file containing a ransom note is frequently left on the desktop. It is observed that Zeppelin actors executing their malware multiple times within a victim's network, resulting in the creation of different IDs or file extensions for each instance of an attack; and as a result, the victim requires several unique decryption keys. 

A list of Indicators of Compromise (IOC) and techniques used by threat actors to deliver Zeppelin ransomware can be found at the following URL:  

https://www.cisa.gov/uscert/ncas/alerts/aa22-223a  

Mitigation   

The following are some steps users and administrators can take to reduce the risk of infection by Zeppelin ransomware:  

Use multifactor authentication  

  •  Require multifactor authentication to remotely access networks from external sources.  

Implement network segmentation and filter traffic  

  • Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.  

  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.   

  • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.  

  • Implement a URL blocklist and/or allow list to prevent users from accessing malicious websites.  

Scan for vulnerabilities and keep software updated.   

  • Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.   

  • Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system.   

Remove unnecessary applications and apply controls.  

  • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise.   

  • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.  

  • Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.  

  • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.  

Implement endpoint and detection response tools.   

  • Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.   

Limit access to resources over the network, especially by restricting RDP.   

  • After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multifactor authentication.  

Secure user accounts.  

  • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.  

  • Regularly audit logs to ensure new accounts are legitimate users.  

 The Guyana National CIRT recommends that users and administrators review these recommendations and implement them where necessary.   

 

PDF Download: Zeppelin Ransomware.pdf

References  

 https://www.pcrisk.com/removal-guides/16540-zeppelin-ransomware