MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant

A new ransomware variant is being used in targeted attacks on managed service providers, technology, and healthcare firms, according to security researchers at Blackberry Cylance.

Attacks are being conducted on carefully selected, high profile targets using a new variant of VegaLocker/Buran ransomware named Zeppelin. VegaLocker has been around since early 2019 and all variants from this family have been used to attack companies in Russian speaking countries.

The campaigns were broad and used malvertising to direct users to websites hosting the ransomware. The latest variant is being used in a distinctly different campaign that is much more targeted. Attacks have only been detected on companies in Europe, the United States, and Canada so far. If the ransomware is downloaded onto a device in the Russian Federation, Ukraine, Belorussia, or Kazakhstan, the ransomware exits and does not encrypt files.

Ransomware variants from the VegaLocker family have all been offered as ransomware-as-a-service and there are indications that the same is true of Zeppelin ransomware, although the Blackberry Cylance researchers believe different threat actors are responsible for the attacks. There have only been a small number of attacks so far, so this could indicate a limited number of individuals are conducting attacks and targets are being selected carefully.

Zeppelin ransomware is highly customizable and can be deployed as an EXE or DLL file. Samples have also been found that are wrapped in PowerShell loaders. The ransom notes are also customizable and can be changed to suit different campaigns. Several have been detected that incorporate the name of the company being attacked, further demonstrating the highly targeted nature of the campaign.

Attacks have been conducted on multiple tech and health firms as well as managed service providers. Attacks on the latter see MSP files encrypted, and through their remote administration tools, the ransomware is deployed on the systems of their clients. Attacks on service providers are becoming far more common and several threat actors have adopted this tactic, including those behind Ryuk and Sodinokibi ransomware.

Zeppelin ransomware incorporates several layers of obfuscation to evade security solutions, including the use of encrypted strings, pseudo-random keys, and code of different sizes. The encryption routine can also be delayed avoid detection by heuristic analyses and fool sandboxes. The ransomware can also stop backup services and delete backup files and shadow copies to hamper recovery without paying the ransom.

After encryption the original file name and extension are retained. File tags are used that include the word Zeppelin. The encryption routine uses symmetric file encryption with randomly generated keys for each file, (AES-256 in CBC mode) along with asymmetric encryption for the session key, using a custom RSA implementation.

Some ransomware samples obtained by Blackberry Cylance researchers only encrypt the first 1000 bytes of a file. This is sufficient to render the files unusable but also speeds up the file encryption process so there is less chance of the attack being detected and stopped before file encryption has been completed.

As is common in these targeted attacks, a ransom note is dropped that provides email addresses for the victims to make contact with the attackers. This allows the attackers to set ransom payments on the perceived ability of the victim to pay.

It is unclear what methods are being used to distribute Zeppelin ransomware. The researchers have found a sample on water-holed websites, with the ransomware payload hosted on Pastebin but several distribution methods may be used.

Protecting against attacks requires a combination of security solutions and the adoption of cybersecurity best practices. Block open ports, change all default passwords, disable RDP if possible, use an advanced spam filtering solution, apply patches promptly, and keep operating systems and software up to date. Ensure staff are trained and are following security best practices and make sure backups are regularly created and tested to make sure file recovery is possible. It is also essential for one backup copy to be stored securely on a device that is not connected to the network.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.