+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is Zeppelin Ransomware?

Ransomware is the biggest cyber threat for UK organisations according to the National Cyber Security Centre (NCSC), with the number of different types of ransomware doubling this year already, from 5,400 in late 2021, to 10,666 after just six months of 2022. A report by Fortinet suggests this rise could be due to the development of ransomware-as-a-service (RaaS), where cyber criminals advertise their skills online in a subscription-style service to perform ransomware attacks for a portion of the profits. Since 2019, a RaaS group known as Zeppelin have targeted organisations across North America and Europe. Previously known as VegaLocker, Jamper, and Buran Ransomware, this group advertised its services to others on Russian hacker forums, where they would get to keep 25% of the ransom.  

The targets for the Zeppelin ransomware group have ranged from the medical and healthcare sectors to defence contractors, manufacturers, tech companies, and educational institutions. This Russian-based group have included the capability in their malware for it to detect if it is running on a machine located in a Commonwealth of Independent States (CIS) country, by checking the Windows language settings, or the default country code. The malware is set to remove itself from the device and network if it believes itself to be in one of these locations, such as Russia, Ukraine, Belorussia, and Kazakhstan, making it’s targeting of Western European and U.S. organisations more specific. 

The UK’s National Health Service (NHS) released a cyber alert in 2021 after they suffered a Zeppelin attack which was delivered through a phishing campaign. This attack utilised malicious macros in Microsoft Word documents that were sent to the victims as phishing emails. These macros deliver the payload script which triggers the download of Zeppelin onto the device. The NHS also reported that a remote management software tool ConnectWise Control was being used to transfer the malware across an already compromised network. The BlackBerry Cylance Threat Research Team also suggested the use of management software to spread the malware across a network back in 2019, in a security blog post that detailed how the then-new Zeppelin malware functioned. 

Zeppelin malware is first introduced to a network through one of three attack vectors: exploitation of the remote desktop protocol (RDP); exploiting a vulnerability in a public-facing SonicWall firewall; or through malicious documents with enabled macros sent via email in phishing campaigns. Threat actors then typically spend about two weeks mapping the victim’s network, including identifying cloud storage and backups. After this has been completed, the ransomware is deployed as a .dll or a .exe file, which can be contained within a PowerShell loader. The malware communicates with a command and control (C2) server to confirm whether it is in one of the CIS countries. If it is, the file will remove itself. If not, the C2 server will respond with an encryption command. 

An empty file is next created in the %TEMP% directory, with the extension .zeppelin added. Sensitive data is exfiltrated to sell or publish if the ransom is not paid before the encryption process begins. When the ransomware encrypts files, a nine-digit hexadecimal number is generated and added on to the end of each encrypted file as a file extension. These specific markers can then be used as file IDs, and originate from the first 11 bytes of the asymmetric encryption key use for this file. A ransom note is then deposited on the desktop of the compromised device, stating the attacker’s demands, and instructions on how to pay the ransom, including threats for exposing files if it is not paid, and a personal ID that can be used to identify the ransom payment. 

This month, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint security advisory as a part of their #StopRansomware campaign. In this, the FBI revealed that they had observed instances of Zeppelin attacks where the malware was executed multiple times in the target network. This caused different IDs to be generated for each instance of attack, so the victims would require multiple unique decryption keys in order to recover all of their files. FBI advice to organisations that have fallen victim to a ransomware attack is to not pay the ransom. Paying does not guarantee recovery of files and can encourage cyber criminals to repeat attacks on the same or other organisations as they have received financial compensation for the attacks. 

Organisations can mitigate some of the risks of ransomware by ensuring their devices and network meet high cyber security standards, and preparing in advance for potential threats to their data. The NCSC recommend a defence in depth approach to best protect systems from ransomware. Account security such as requiring multi-factor authentication (MFA) for all critical systems, and following the NIST standards for password security can help prevent initial access for attackers and keep your network secure. Accounts should also be configured using the principle of least privilege to prevent malicious actors from executing high level code if access is achieved. Disabling command-line scripting permissions can also prevent lateral movement or elevation of privileges by attackers by taking away their access to command line tools. 

Other initial access routes for attackers can be through emails, or by utilising known vulnerabilities in software. Disabling hyperlinks in emails, adding email banners to signal when a sender is external to the organisation, and keeping all software including operating systems up to date with the latest security patches will help to mitigate these risk areas. Storing multiple copies of sensitive data, in physically separate locations, such as on a hard drive and in the cloud, can reduce the likelihood of total data loss in the event of an attack. Additionally, segmentation of networks can reduce the spread of malware if it does manage to infect one device or network segment, as segmentation can control the flow of data between subnetworks. Additional guidance on reducing risk of compromise can be found on the CISA and NCSC websites. 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top