Protect Your Data and Boost Compliance: DPDP Act and Cybersecurity for Indian Manufacturers

Register Today
zeppelin-ransomware

Analysis

On 11th August 2022, the FBI and CISA together published a blog with its latest findings about the zeppelin ransomware. The zeppelin ransomware is a Ransomware as a service (RaaS) that is in operation from 2019 – 2022.

The Zeppelin threat actors mostly target organizations such as healthcare and medical industries, Educational institutions, Defence contractors, and technology companies, it was reported that the threat actors demanded ransom between thousand to millions of dollars as a bitcoin.

The threat actors gain initial access through three methods of phishing campaigns, RDP exploitation and exploiting sonic firewall vulnerabilities, then the threat actors start to enumerate and map the organization network, followed by this the threat actors drop zeppelin ransomware as .dll or .exe or contained within PowerShell loader.

Before encryption, the threat actors start to exfiltrate the company's sensitive data and demand ransom, then once the ransomware is executed it starts to encrypt the files and append nine-digit hexadecimal characters as an extension to each encrypted file and leaves a note ransom note on the compromised system.

Prevention

  • Take regular backups of servers, end devices, and other storage devices to reduce the impact of any kind of ransomware attack.
  • Scan the environment to find known vulnerabilities and fix regular intervals.
  • Educate employees to download applications from legitimate sites and create awareness about phishing.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Disable unused ports.

Detection

Use Real-time Virus and malware detection tools over all the devices in the organization.

Use Endpoint detection and response tools to detect lateral movement as they have insight into common and uncommon network connections for each host.

MITRE ATT&CK Techniques

Initial Access

Technique title ID Use
Exploit External Remote Services T1133

Zeppelin actors exploit RDP

to gain access to the victim

 

Exploit Public-Facing Application

T1190

Zeppelin actors exploit

vulnerabilities in the internet-

facing systems to gain

access to systems.

Phishing T1566

Zeppelin actors have used

phishing and spear phishing

to gain access to victims'

networks.

Execution

Technique title ID Use
Malicious Link

 

T1204.00

1

Zeppelin actors trick users

click a malicious link to

execute malicious macros.

Malicious File Attachment

T1204.00

2

 

Zeppelin actors trick users

click malicious attachments

disguised as advertisements

to execute malicious

macros.

Persistence

Technique title ID Use
Modify System Process

T1543.00

3

Zeppelin actors encrypt

Windows Operating

functions to preserve

compromised system

functions.

 

Impact

Technique title ID Use
Data Encrypted for Impact T1486

Zeppelin actors have

encrypted data on the target

systems or on large

numbers of systems in a

network to interrupt

availability to the system and

network resources.

 

Indicators of Compromise (IOCs)

SHA256
001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d
a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b
aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe
a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037
54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1
fb59f163a2372d09cd0fc75341d3972fdd3087d2d507961303656b1d791b17c6
1e3c5a0aa079f8dfcc49cdca82891ab78d016a919d9810120b79c5deb332f388
347f14497df4df73bc414f4e852c5490b12db991a4b3811712bac7476a3f1bc9
7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55
37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e
894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072
307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e
bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d
faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6
e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f
79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c
b22b3625bcce7b010c0ee621434878c5f8d7691c2a101ae248dd221a70668ac0
961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910
d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c
8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2
5326f52bd9a7a52759fe2fde3407dc28e8c2caa33abf1c09c47b192a1c004c12
6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b
f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d
bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509
ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b
cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2
21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d
0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499
6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9
e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9
353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b
85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5
614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2
fb3e0f1e6f53ffe680d66d2143f06eb6363897d374dc5dc63eb2f28188b8ad83
594df9c402abfdc3c838d871c3395ac047f256b2ac2fd6ff66b371252978348d
2dffe3ba5c70af51ddf0ff5a322eba0746f3bf3ae0751beb3dc0059ed3faaf3d
45fba1ef399f41227ae4d14228253237b5eb464f56cab92c91a6a964dc790622
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
677035259ba8342f1a624fd09168c42017bdca9ebc0b39bf6c37852899331460
26ec12b63c0e4e60d839aea592c4b5dcff853589b53626e1dbf8c656f4ee6c64
37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08
a5847867730e7849117c31cdae8bb0a25004635d49f366fbfaebce034d865d7d
e61edbddf9aed8a52e9be1165a0440f1b6e9943ae634148df0d0517a0cf2db13
746f0c02c832b079aec221c04d2a4eb790287f6d10d39b95595a7df4086f457f
b191a004b6d8a706aba82a2d1052bcb7bed0c286a0a6e4e0c4723f073af52e7c
614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2
85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5
353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b
e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9
6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9
0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499

 

References

CISA.gov

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.