The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released details of the tactics of a ransomware group called Zeppelin which has been targeting large organizations in the US and Europe with huge ransom demands.
Zeppelin emerged in late 2019 as a ransomware-as-a-service double-extortion operation and was previously called VegaLocker ransomware. It was known for targeting healthcare sector organizations across Europe and North America. The agencies say the group has also targeted defense contractors, educational institutions, manufacturers, technology companies, but notes it has “especially” targeted organizations in the healthcare and medical industries.
According to the joint advisory, Zeppelin actors have also compromised victim networks by exploiting remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing. The UK’s National Health Service (NHS) last year reported the group was using malicious macros in Word documents to spread the malware, but that may be less likely in future after Microsoft’s recent default block on untrusted VBA macros in Office.
Zeppelin actors are known to have demanded ransoms of several thousand dollars to in excess of $1 million. The advisory references Core Security’s research, which describes Zeppelin as a “well-organized” threat.
The FBI has found attackers do indeed take extra care in laying the groundwork before and during ransomware deployments. For example, they spend up to two weeks mapping a network looking for cloud storage and network backups. Then the malware is deployed as a DLL or executable file contained within a PowerShell loader.
Zeppelin ensures victims need not just one but possibly several decryption keys and a network often ends up with machines tagged with multiple IDs. Once executed, each file is tagged with a randomized nine-digit hexadecimal number as a file extension that serves as a victim’s personal ID.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the advisory states.
The FBI hopes to collect information from victims of Zeppelin actors. It encourages victims to report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file,” it said.