On August 11, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Zeppelin ransomware. The alert provides insight into the tactics, techniques, and procedures (TTPs) along with indicators of compromise used by Zeppelin threat actors. Zeppelin has been operating since 2019 and has targeted organizations across multiple industries as well as critical infrastructure sectors.What is Zeppelin ransomware?Zeppelin is a Delphi-based ransomware and is run as a Ransomware-as-a-Service (RaaS). First reports of Zeppelin ransomware goes back as far as December 2019. Some reports suggest that Zeppelin ransomware originates from the Vegaslocker and Buran strains.According to the CISA advisory, Zeppelin ransomware’s infection vectors include RDP exploitation, leveraging vulnerabilities in popular FireWall products and phishing emails. Once a threat actor compromises the victim’s network, it steals sensitive information from the victim before starting the file encryption process. Zeppelin ransomware typically adds a “.zeppelin” file extension to the affected files, however other files extensions used were observed. After files are encrypted, the victim is presented with a ransom note that is typically named “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT” containing attacker’s contact information (email, Jabber, ICQ or Telegram) as well as a ransom message. Zeppelin victims are threatened that encrypted files will not be recovered, and stolen information will be released to the public if the ransom is not paid.Ransom note from a recent Zeppelin ransomware sampleThe advisory also states that threat actors ran Zeppelin ransomware more than once on the compromised network in some cases, which resulted in multiple decryption keys being required for file decryption.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known Zeppelin ransomware variants:W32/Zeppelin.FBFD!tr.ransomW32/Buran.H!tr.ransomW32/Agent.H!tr.ransomW32/Filecoder_Buran.J!tr.ransomW32/Kryptik.GOGY!trW32/Kryptik.HIMG!trW32/Kryptik.HJEK!trW32/Generic.AC.171!trW64/Agent.EQ!trW32/Neshta.EW32/CoinMiner.NBX!trW32/PossibleThreatRiskware/Application
More Stories
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 21 CyberDanube Security Research 20241219-0 ------------------------------------------------------------------------------- title| Authenticated Remote Code...
USN-7179-1: Linux kernel vulnerabilities
Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote...
USN-7173-2: Linux kernel vulnerabilities
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to...
swiftlint-0.57.1-1.fc42
FEDORA-2024-87d30b4fbf Packages in this update: swiftlint-0.57.1-1.fc42 Update description: Automatic update for swiftlint-0.57.1-1.fc42. Changelog * Fri Dec 20 2024 Davide Cavalca...
USN-7166-3: Linux kernel (HWE) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
USN-7159-4: Linux kernel (IoT) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...