Analysis
On 11th August 2022, the FBI and CISA together published a blog with its latest findings about the zeppelin ransomware. The zeppelin ransomware is a Ransomware as a service (RaaS) that is in operation from 2019 – 2022.
The Zeppelin threat actors mostly target organizations such as healthcare and medical industries, Educational institutions, Defence contractors, and technology companies, it was reported that the threat actors demanded ransom between thousand to millions of dollars as a bitcoin.
The threat actors gain initial access through three methods of phishing campaigns, RDP exploitation and exploiting sonic firewall vulnerabilities, then the threat actors start to enumerate and map the organization network, followed by this the threat actors drop zeppelin ransomware as .dll or .exe or contained within PowerShell loader.
Before encryption, the threat actors start to exfiltrate the company's sensitive data and demand ransom, then once the ransomware is executed it starts to encrypt the files and append nine-digit hexadecimal characters as an extension to each encrypted file and leaves a note ransom note on the compromised system.
Prevention
- Take regular backups of servers, end devices, and other storage devices to reduce the impact of any kind of ransomware attack.
- Scan the environment to find known vulnerabilities and fix regular intervals.
- Educate employees to download applications from legitimate sites and create awareness about phishing.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Disable unused ports.
Detection
Use Real-time Virus and malware detection tools over all the devices in the organization.
Use Endpoint detection and response tools to detect lateral movement as they have insight into common and uncommon network connections for each host.
MITRE ATT&CK Techniques
Initial Access
| Technique title | ID | Use |
| Exploit External Remote Services | T1133 |
Zeppelin actors exploit RDP to gain access to the victim
|
|
Exploit Public-Facing Application |
T1190 |
Zeppelin actors exploit vulnerabilities in the internet- facing systems to gain access to systems. |
| Phishing | T1566 |
Zeppelin actors have used phishing and spear phishing to gain access to victims' networks. |
Execution
| Technique title | ID | Use |
| Malicious Link |
T1204.00 1 |
Zeppelin actors trick users click a malicious link to execute malicious macros. |
| Malicious File Attachment |
T1204.00 2
|
Zeppelin actors trick users click malicious attachments disguised as advertisements to execute malicious macros. |
Persistence
| Technique title | ID | Use |
| Modify System Process |
T1543.00 3 |
Zeppelin actors encrypt Windows Operating functions to preserve compromised system functions.
|
Impact
| Technique title | ID | Use |
| Data Encrypted for Impact | T1486 |
Zeppelin actors have encrypted data on the target systems or on large numbers of systems in a network to interrupt availability to the system and network resources. |
Indicators of Compromise (IOCs)
| SHA256 |
| 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d |
| a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b |
| aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe |
| a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037 |
| 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1 |
| fb59f163a2372d09cd0fc75341d3972fdd3087d2d507961303656b1d791b17c6 |
| 1e3c5a0aa079f8dfcc49cdca82891ab78d016a919d9810120b79c5deb332f388 |
| 347f14497df4df73bc414f4e852c5490b12db991a4b3811712bac7476a3f1bc9 |
| 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55 |
| 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e |
| 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072 |
| 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e |
| bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d |
| faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6 |
| e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878 |
| 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080 |
| 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846 |
| dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f |
| 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c |
| b22b3625bcce7b010c0ee621434878c5f8d7691c2a101ae248dd221a70668ac0 |
| 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910 |
| d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c |
| 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2 |
| 5326f52bd9a7a52759fe2fde3407dc28e8c2caa33abf1c09c47b192a1c004c12 |
| 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b |
| f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d |
| bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509 |
| ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b |
| cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2 |
| 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d |
| 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499 |
| 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9 |
| e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9 |
| 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b |
| 85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5 |
| 614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2 |
| fb3e0f1e6f53ffe680d66d2143f06eb6363897d374dc5dc63eb2f28188b8ad83 |
| 594df9c402abfdc3c838d871c3395ac047f256b2ac2fd6ff66b371252978348d |
| 2dffe3ba5c70af51ddf0ff5a322eba0746f3bf3ae0751beb3dc0059ed3faaf3d |
| 45fba1ef399f41227ae4d14228253237b5eb464f56cab92c91a6a964dc790622 |
| 774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279 |
| 677035259ba8342f1a624fd09168c42017bdca9ebc0b39bf6c37852899331460 |
| 26ec12b63c0e4e60d839aea592c4b5dcff853589b53626e1dbf8c656f4ee6c64 |
| 37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08 |
| a5847867730e7849117c31cdae8bb0a25004635d49f366fbfaebce034d865d7d |
| e61edbddf9aed8a52e9be1165a0440f1b6e9943ae634148df0d0517a0cf2db13 |
| 746f0c02c832b079aec221c04d2a4eb790287f6d10d39b95595a7df4086f457f |
| b191a004b6d8a706aba82a2d1052bcb7bed0c286a0a6e4e0c4723f073af52e7c |
| 614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2 |
| 85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5 |
| 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b |
| e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9 |
| 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9 |
| 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499 |
References
CISA.gov
