Infosec pros in North America and Europe are being warned of a new ransomware strain.
Researchers at Blackberry Cylance have dubbed this strain “Zeppelin,” and said it has been targeting “carefully chosen” technology and healthcare firms since November.
This news comes as security vendor Emsisoft issued a report saying ransomware has hit crisis proportions in the U.S.
Zeppelin is part of a ransomware-as-a-service family known to some as Vega or VegaLocker. The two share code and features, the researchers said in a blog post this week. However, Vega is distributed alongside other widespread financial malware as part of a malvertising operation aimed broadly at Russian-speaking computer users. Zeppelin is more targeted at potential victims, and it will quit if it infects machines that are based in Russia, Ukraine, Belorussia and Kazakhstan.
Researchers believe this shift in targeting and malware deployment methods could mean Zeppelin is being used by a different group of attackers than those using Vega and its variants. This group could have bought Zeppelin as a service, bought it or stole the code.
“Ransomware, once in decline, has experienced a resurgence due to the efforts of innovative threat actors,” the researchers note. “For example, the actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors. Targeting specific organizations rather than every reachable user is just one example of how ransomware attacks continue to evolve. The ongoing refinement of ransomware attacks serves as a stark reminder that effective cybersecurity should be proactive, predictive, adaptive, and semi-autonomous.”
Zeppelin appears to be highly configurable, indicated researchers, and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There is some evidence that at least some of the attacks were conducted through managed security service providers (MSSPs), according to researchers, which, if true, would make it similar to another recent highly targeted campaign that used ransomware called Sodinokibi.
After encrypting all the files, Zeppelin will drop a ransom note text file and display it in notepad. The filename and contents are configurable by the attacker. Researchers found several different versions, ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations. All the messages instruct the victim to contact the attacker via a provided email address and quote their personal ID number. The attackers are using several secure email providers that are associated with ransomware, such as firemail[.]cc, Protonmail and Tutanota. Additionally, one of the ransom notes uncovered provides an email address associated with a .onion domain that is only accessible via Tor.
The Emsisoft report issued Thursday said the U. S. was hit by “an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers.” It roughly estimates the cost of these attacks at US$7.5 billion.
The impact on some healthcare providers was so severe that two of them went out of business. Others had to temporarily cancel surgeries.
The report’s authors blame “organizations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organizations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.”
One big problem, authors say: Governments are failing to implement basic and well-established best practices, even when legally required to do so.
The report also warns that backup is not a panacea to ransomware — particularly for hospitals — because it can take weeks or longer to rebuild infected systems. Prevention — by using multi-factor authentication — and detection have to be emphasized by all organizations.
It also said vendors and service providers must do more to stop ransomware through innovation and collaboration. A significant number of ransomware attacks in 2019 were launched through the remote monitoring and management (RMM) tools used by managed service providers.
“In the majority of cases, the attacks succeeded because two- or multi-factor authentication had not been enabled on the RMM. While RMMs support 2FA/MFA, vendors had not made its use mandatory and some MSPs chose not to use it. Most RMM providers have since made 2FA/MFA mandatory, but they did not do so until after their solutions were used as launchpads for large-scale ransomware attacks. This is not acceptable. The industry needs to be proactive rather than reactive and service providers must not prioritize convenience over security.”
