Zeppelin Ransomware – Single Decryption key not enough

The US authorities have warned that victims of a Zeppelin, the ransomware-as-a-service family may require multiple unique decryption keys to stand a chance of getting their data back.

The FBI has observed Zeppelin actors execute their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack. This results in the victim needing several unique decryption keys.

According to CISA, Zeppelin, main targets have been in the healthcare and medical industries. Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities and phishing campaigns.

Threat actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves before deploying. This includes cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Threat actors aim to trick users into clicking on a malicious link or opening a booby-trapped attachment to execute malicious macros. Zeppelin affiliates also try to exfiltrate data before deploying their final payload and leaving a ransom note.

CISA listed recommended mitigations for Zeppelin, ranging from best practice password management and multi-factor authentication to regular patching, network segmentation, disabling unused ports, and maintaining offline data backups.

Organizations should also disable command-line and scripting activities and permissions, follow an access policy of least privilege, and implement time-based access for accounts set at admin level and higher.

Indicators of Compromise

• 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d
• a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b
• aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe
• a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037
• 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1
• fb59f163a2372d09cd0fc75341d3972fdd3087d2d507961303656b1d791b17c6
• 1e3c5a0aa079f8dfcc49cdca82891ab78d016a919d9810120b79c5deb332f388
• 347f14497df4df73bc414f4e852c5490b12db991a4b3811712bac7476a3f1bc9
• 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55
• 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e
• 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072
• 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e
• bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d
• faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6
• e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878
• 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080
• 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846
• dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f
• 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c
• b22b3625bcce7b010c0ee621434878c5f8d7691c2a101ae248dd221a70668ac0
• 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910
• d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c
• 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2
• 5326f52bd9a7a52759fe2fde3407dc28e8c2caa33abf1c09c47b192a1c004c12
• 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b
• f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d
• bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509
• ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b
• cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2
• 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d
• 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499
• 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9
• e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9
• 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b
• 85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5
• 614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2
• fb3e0f1e6f53ffe680d66d2143f06eb6363897d374dc5dc63eb2f28188b8ad83
• 594df9c402abfdc3c838d871c3395ac047f256b2ac2fd6ff66b371252978348d
• 2dffe3ba5c70af51ddf0ff5a322eba0746f3bf3ae0751beb3dc0059ed3faaf3d
• 45fba1ef399f41227ae4d14228253237b5eb464f56cab92c91a6a964dc790622
• 774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
• 677035259ba8342f1a624fd09168c42017bdca9ebc0b39bf6c37852899331460
• 26ec12b63c0e4e60d839aea592c4b5dcff853589b53626e1dbf8c656f4ee6c64
• 37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08
• a5847867730e7849117c31cdae8bb0a25004635d49f366fbfaebce034d865d7d
• e61edbddf9aed8a52e9be1165a0440f1b6e9943ae634148df0d0517a0cf2db13
• 746f0c02c832b079aec221c04d2a4eb790287f6d10d39b95595a7df4086f457f
• b191a004b6d8a706aba82a2d1052bcb7bed0c286a0a6e4e0c4723f073af52e7c
• 614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2
• 85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5
• 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b
• e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9
• 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9
• 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499