Full Report
The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.
Analysis Summary
# Threat Actor: Zeppelin Ransomware Operators
## Attribution & Identity
The threat actors utilize Zeppelin ransomware, which is a variant of the Delphi-based Ransomware-as-a-Service (RaaS) family, initially known as Vega or VegaLocker. Zeppelin emerged around the beginning of 2019. The specific group operating the RaaS is not definitively named, but CISA communications provide alerts regarding its activity.
## Activity Summary
The advisory from CISA indicates a resurgence of Zeppelin ransomware campaigns (as of August 2022). Threat actors are using new compromise and encryption tactics against various vertical industries, particularly focused on healthcare and critical infrastructure organizations. Campaigns have been observed as recently as June 21.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of Remote Desktop Protocol (RDP) and known SonicWall firewall vulnerabilities. Previously used phishing campaigns have also been employed for initial access.
- **Execution:** The malware can be deployed as a `.dll` or `.exe` file, or contained within a PowerShell loader.
- **Defense Evasion/Discovery:** Threat actors spend one to two weeks mapping or enumerating the network post-infiltration to identify data enclaves, including cloud storage and network backups.
- **Impact/Encryption:** Employing a new tactic involving executing the malware multiple times within a victim’s network, resulting in multiple unique decryption keys being required ('multi-encryption tactics').
- **Exfiltration:** Appears to utilize double extortion tactics by exfiltrating sensitive data prior to encryption for potential publication.
- **File Marking:** Encrypted files are appended with a randomized nine-digit hexadecimal number as a file extension (e.g., `file.txt.C59-E0C-929`).
- **Note Drop:** Leaves a ransom note file typically on a user desktop system.
## Targeting
- **Sectors:** Healthcare (most often targeted recently), critical infrastructure organizations, technology companies, defense contractors, educational institutions, and manufacturers.
- **Geography:** United States and Europe (in historical campaigns).
- **Victims:** No specific organization names were mentioned in the summary, only the targeted sectors.
## Tools & Infrastructure
- **Malware families used:** Zeppelin ransomware (RaaS).
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided text, other than mentioning the ransomware family itself.
## Implications
Zeppelin presents a significant and recurring threat, leveraging established RaaS models combined with new complexity (multi-encryption) that complicates recovery efforts by requiring multiple decryption keys. Their focus on critical infrastructure and healthcare sectors underscores the potential for wide-ranging operational disruption.
## Mitigations
- Harden RDP access and secure firewall configurations (especially SonicWall devices) against exploitation.
- Maintain strong network monitoring to detect internal network mapping activities (1-2 week enumeration period).
- Deploy defense measures against common ransomware tactics, including restricting PowerShell execution where possible.
- Ensure robust, segmented, and tested backups to counter data exfiltration and encryption successfully.