Security researchers at Blackberry Cylance warn managed service providers, technology, and medical care companies about a new ransomware variant used for targeted attacks.
Attacks using a new VegaLocker/Buran ransomware variant called Zeppelin are executed on carefully picked, high profile targets. Since early 2019, attackers use VegaLocker and variants from this ransomware family were used to strike businesses located in Russian speaking nations.
The campaigns were extensive and employed malvertising to direct users to sites holding the ransomware. The most recent variant is being employed in a remarkably different campaign that’s a lot more focused. So far, attacks were only identified in European, Canadian and United States companies. In case a gadget in the Russian Federation, Belorussia, Ukraine or Kazakhstan downloads the ransomware, the ransomware simply leaves and doesn’t do file encryption.
The VegaLocker family ransomware variants were all offered as ransomware-as-a-service. The Zeppelin ransomware seems to be the same, though Blackberry Cylance researchers think that the threat actors behind the attacks are different. There were just a few attacks to date, thus this can mean a few people are executing the attacks on carefully selected targets.
Zeppelin ransomware is very easy to customize and may be used as an EXE or DLL file. Some were also found wrapped in PowerShell loaders. Attackers additionally personalize the ransom notes and modify them to match various campaigns. Some found the name of the firm attacked being used, further showing how the campaigns are highly targeted.
When attacking managed service providers, MSP files are encrypted, and by means of their remote admin tools, the ransomware is installed on their clients’ systems. It is more common for service providers to be attacked and a number of threat actors have used this tactic, which includes those responsible for the Ryuk and Sodinokibi ransomware.
Zeppelin ransomware uses a number of obfuscation layers to avert security solutions, which include using encrypted strings, code of various sizes and pseudo-random keys. The encryption schedule could likewise be slowed down to evade detection by heuristic analyses and trick sandboxes. The ransomware could even eliminate backup services and remove backup files and shadow copies to hinder repair without a ransom payment.
The original file is encrypted retaining the extension. The files are tagged using the word Zeppelin. The encryption routine employs symmetric file encryption with randomly created keys for every file, (AES-256 in CBC mode) together with asymmetric encryption for the session key, utilizing a personalized RSA implementation.
Blackberry Cylance researchers obtained a number of ransomware samples where only the file’s first 1000 bytes are encrypted. This is enough to make the files unusable and accelerates the file encryption process at the same time, hence it is less likely to detect the attack and stop it before the completion of file encryption.
In these targeted attacks, the attackers drop a ransom note that includes email addresses so that the victims could contact them. This makes it possible for the attackers to specify ransom payments based on the victim’s perceived capability to pay.
It is not known what strategies the attackers use to spread the Zeppelin ransomware. The researchers located a sample on water-holed sites, with Pastebin hosting the ransomware payload. However, a number of distribution methods could be employed.
Protecting against attacks calls for combining security solutions and adopting best practices in cybersecurity, which include:
- Blocking open ports
- Changing all default passwords
- Disabling RDP when possible
- Using an enhanced spam filtering solution
- Applying patches immediately
- Keeping operating systems and software program updated
Make sure to train staff and follow security best practices. Be sure to create backups regularly and test them to ensure file recovery. It is additionally necessary to store one backup copy securely on a device that isn’t linked to the network.