KEEPNET LABS > Blog > Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics

Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics

Zeppelin is a variant of the Delphi-based ransomware family (RaaS), originally known as Vega or VegaLocker. Unlike its predecessor, Zeppelin’s campaigns were much more targeted. Threat actors first targeting technology and healthcare companies in Europe and the U.S.

Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics

The FBI noted that Zeppelin’s ransomware program has made a comeback in its recent campaigns against various vertical sectors (especially healthcare) and critical infrastructure organizations, using new encryption tactics and tactics. October Thursday, threat actors deploying ransomware as a service (RaaS) are exploiting Remote Desktop Protocol (RDD) and SonicWall firewall vulnerabilities in addition to previously used phishing campaigns – to hack target networks, according to a proposal released by the Cybersecurity and Infrastructure Security Agency (CISA).

According to CISA, Zeppelin also has a new multiple encryption tactic, in which the malware is run multiple times on the victim’s network and generates different file identifiers and extensions for multiple sample attacks. “This results in the victim needing several unique decryption keys, ” the council says. The agency said CISA uncovered several Zeppelin variants during various FBI investigations and that the attacks took place on June 21. Zeppelin’s aims and tactics are a variant of the Delphi-based ransomware family (RaaS), originally known as Vega or VegaLocker, and appeared in advertisements on the Russian Yandex service in early 2019. Currently, according to BlackBerry Cylance. Unlike its predecessor, Zeppelin’s campaigns were much more targeted, with threat actors first targeting technology and healthcare companies in Europe and the United States. According to CISA, the latest campaigns are still mostly focused on health care and health organizations. Technology companies also remain in Zeppelin’s field of vision, and threat actors are also using Raas to attack defense contractors, educational institutions, and manufacturers.

After successfully penetrating the network, threat actors spend one to two weeks mapping or listing the network to identify data stores, including cloud storage and network backup. They then distribute Zeppelin’s ransomware as follows. so is dll. it is included in the exe file or PowerShell installer. According to CISA, Zeppelin appears to be using the usual double ransomware tactics in its recent campaigns, which include filtering sensitive target data files before encrypting them for later publication online if the victim refuses to pay. After the Zeppelin ransomware is run online, a random nine-digit hexadecimal number is added to each encrypted file as a file extension, for example, file. txt.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.