Ransomware is the biggest cyber threat for UK organisations according to the National Cyber Security Centre (NCSC), with the number of different types of ransomware doubling this year already, from 5,400 in late 2021, to 10,666 after just six months of 2022. A report by Fortinet suggests this rise could be due to the development of ransomware-as-a-service (RaaS), where cyber criminals advertise their skills online in a subscription-style service to perform ransomware attacks for a portion of the profits. Since 2019, a RaaS group known as Zeppelin have targeted organisations across North America and Europe. Previously known as VegaLocker, Jamper, and Buran Ransomware, this group advertised its services to others on Russian hacker forums, where they would get to keep 25% of the ransom.  

The targets for the Zeppelin ransomware group have ranged from the medical and healthcare sectors to defence contractors, manufacturers, tech companies, and educational institutions. This Russian-based group have included the capability in their malware for it to detect if it is running on a machine located in a Commonwealth of Independent States (CIS) country, by checking the Windows language settings, or the default country code. The malware is set to remove itself from the device and network if it believes itself to be in one of these locations, such as Russia, Ukraine, Belorussia, and Kazakhstan, making it’s targeting of Western European and U.S. organisations more specific. 

The UK’s National Health Service (NHS) released a cyber alert in 2021 after they suffered a Zeppelin attack which was delivered through a phishing campaign. This attack utilised malicious macros in Microsoft Word documents that were sent to the victims as phishing emails. These macros deliver the payload script which triggers the download of Zeppelin onto the device. The NHS also reported that a remote management software tool ConnectWise Control was being used to transfer the malware across an already compromised network. The BlackBerry Cylance Threat Research Team also suggested the use of management software to spread the malware across a network back in 2019, in a security blog post that detailed how the then-new Zeppelin malware functioned. 

Zeppelin malware is first introduced to a network through one of three attack vectors: exploitation of the remote desktop protocol (RDP); exploiting a vulnerability in a public-facing SonicWall firewall; or through malicious documents with enabled macros sent via email in phishing campaigns. Threat actors then typically spend about two weeks mapping the victim’s network, including identifying cloud storage and backups. After this has been completed, the ransomware is deployed as a .dll or a .exe file, which can be contained within a PowerShell loader. The malware communicates with a command and control (C2) server to confirm whether it is in one of the CIS countries. If it is, the file will remove itself. If not, the C2 server will respond with an encryption command. 

An empty file is next created in the %TEMP% directory, with the extension .zeppelin added. Sensitive data is exfiltrated to sell or publish if the ransom is not paid before the encryption process begins. When the ransomware encrypts files, a nine-digit hexadecimal number is generated and added on to the end of each encrypted file as a file extension. These specific markers can then be used as file IDs, and originate from the first 11 bytes of the asymmetric encryption key use for this file. A ransom note is then deposited on the desktop of the compromised device, stating the attacker’s demands, and instructions on how to pay the ransom, including threats for exposing files if it is not paid, and a personal ID that can be used to identify the ransom payment. 

This month, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint security advisory as a part of their #StopRansomware campaign. In this, the FBI revealed that they had observed instances of Zeppelin attacks where the malware was executed multiple times in the target network. This caused different IDs to be generated for each instance of attack, so the victims would require multiple unique decryption keys in order to recover all of their files. FBI advice to organisations that have fallen victim to a ransomware attack is to not pay the ransom. Paying does not guarantee recovery of files and can encourage cyber criminals to repeat attacks on the same or other organisations as they have received financial compensation for the attacks. 

Organisations can mitigate some of the risks of ransomware by ensuring their devices and network meet high cyber security standards, and preparing in advance for potential threats to their data. The NCSC recommend a defence in depth approach to best protect systems from ransomware. Account security such as requiring multi-factor authentication (MFA) for all critical systems, and following the NIST standards for password security can help prevent initial access for attackers and keep your network secure. Accounts should also be configured using the principle of least privilege to prevent malicious actors from executing high level code if access is achieved. Disabling command-line scripting permissions can also prevent lateral movement or elevation of privileges by attackers by taking away their access to command line tools. 

Other initial access routes for attackers can be through emails, or by utilising known vulnerabilities in software. Disabling hyperlinks in emails, adding email banners to signal when a sender is external to the organisation, and keeping all software including operating systems up to date with the latest security patches will help to mitigate these risk areas. Storing multiple copies of sensitive data, in physically separate locations, such as on a hard drive and in the cloud, can reduce the likelihood of total data loss in the event of an attack. Additionally, segmentation of networks can reduce the spread of malware if it does manage to infect one device or network segment, as segmentation can control the flow of data between subnetworks. Additional guidance on reducing risk of compromise can be found on the CISA and NCSC websites.