Zeppelin is the latest member of the VegaLocker ransomware family, which also contains strains like Jamper, Storm, or Buran. Zeppelin is an example of well-organized threat actors, as those behind Zeppelin have been incredibly strategic in carefully targeting these ransomware attacks. First spotted in November 2019, Zeppelin has been targeting primarily large companies in Europe and the United States.
How Does Zeppelin Work?
The VegaLocker family appears to be an example of an increasingly common Ransomware-as-a-service (RaaS), in which cybercriminals create ransomware, and either sell it to others or rent it and take a portion of any bounty collected when it is used in a successful attack. This model not only allows people who don’t know how to create ransomware to be become attackers, it also means that similar strains can be run by entirely different people. Unlike the broader reach of VegaLocker family attacks geared toward Russian speakers, the threat actors behind Zeppelin are running a precision campaign, targeting high-profile technology and healthcare companies in western countries. A more recent attack may also indicate that real estate firms are their latest target.
Other VegaLocker strains used methods like malvertising, in which malware laden advertisements are placed directly on webpages or through advertising networks, infecting anyone who clicks on them. Zeppelin, on the other hand, is believed to be relying heavily on water-holing attacks, in which websites that are likely to be visited by targeted victims are embedded with malware. It has also been found on Pastebin, a plaintext storage site where code snippets are posted for review. Additionally, Zeppelin is easily configurable and can be deployed as a .dll or .exe file, or wrapped in a PowerShell loader.
Once Zeppelin has entered the infrastructure, it installs itself in a temporary folder named .zeppelin, and spreads throughout the infected device. Once spread, it begins to encrypt files. Though what is encrypted can be configured by the threat actor, by default, it encrypts Windows operating system directories, web browser applications, system boot files, and user files in order to preserve system function. Once encryption is complete, a note appears in Notepad informing the victims that they have been attacked, and that ransom must be paid for the return of their data. The contents have varied from a generic one titled, !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT, to those more personalized to the organization. There is often an offer of free decryption of a single file offered as proof that decryption is possibly used as a lure to encourage payment.
What to do After a Zeppelin Attack
Researchers have found that in some instances, files were only partially encrypted, which may be a bug, or an intentional feature to make the files unusable. In a recent case, data was not even encrypted, but simply stolen, either to add additional pressure to pay the ransom, or to try and sell the data on the dark web if payment didn’t go through. Either way, once you receive the ransom note, there are only two options: pay the ransom or rebuild from backups/scratch. No matter your decision, it is strongly recommended that you contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. Such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place with a strong emphasis on early detection.
How to Prevent Zeppelin Attacks
Ransomware infection can be difficult to prevent, as it is often transmitted through social engineering attacks, which regularly come down to careless or unassuming users. However, ransomware typically lurks for some time, finding sensitive files to steal or encrypt. The ransom only occurs at the end of the attack, so as long as you can detect the ransomware before then, it significantly reduces the risk of long term or permanent damage.
This can be swiftly accomplished with Network Insight, an agentless, and OS/platform agnostic compromised device detection solution which is able to detect malware infections like Zeppelin with certainty. Network Insight uses threat intelligence collected by our global sensor network to identify and track the indicators of compromise since it first appeared on the scene. Zeppelin uses a legitimate domain IPLogger to track IP addresses and the location of victims, using compromised shortened URLs that redirect to malicious downloads. We can track these malicious URL strings with Network Insight. Additionally, we can also follow the user agent field in the HTTP traffic, as it uses “ZEPPELIN” in the field.
Our understanding of normal network behaviours and highlighting network behaviours outside this norm enables Core Security to detect highly sophisticated attacks, even APTs, without having ever seen them before. This may sound simple, but in fact we use over 14 years of data science and applied machine learning containing tens of billions of data points to be able to detect these attacks before the damage of ransomware can occur.
Pen testing and pen testing solutions like Core Impact can also help prepare users better recognize ransomware infection methods. Zeppelin, for instance, is capable of being transmitted through phishing attacks, when a user is tricked into clicking a link in an email designed to look as though it came from a trusted source. Social engineering pen testing can uncover who is susceptible to these attacks, and recommend additional training to make your employees more vigilant before clicking another suspicious email.