In a news report from Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, Cylance believes that they targeted MSPs in order to further infect customers via management software.
In late November, security rescearcher Vitali Kremez discovered a builder for the Zeppelin Ransomware that allow affiliates to build different types of payloads.
These payloads can either be an .exe, .dll, or a .ps1 script payloads so that they can be used in different types of attacks.
This builder also allows the affiliate to create custom ransom notes that fit the theme of their attack.
For example, if they were targeting a particular company, they could configure the builder to specify the company name in the note to provide more impact.
On December 18th, 2019, Zeppelin began stealing data before encrypting files. It was also found being installed utilizing the ScreenConnect (now called ConnectWise Control) MSP remote management software.
Zeppelin is distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious ads, web injects, fake updates, repackaged and infected installers.
Like many Russian-based ransomware, Zeppelin will check if the user is in any CIS countries such as Russia, Ukraine, Belorussia, and Kazakhstan by either checking the configured language in Windows or default country code.
If the victim passes this check, the ransomware will begin to terminate various processes including ones associated with database, backup, and mail servers.
If the “Startup” option is set the malware will copy itself to the %APPDATA%\Roaming\Microsoft\Windows directory using a name randomly chosen from the list of active processes (ignoring any processes that were invoked with an “install” or “setup” command-line argument).
After setting persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key in the registry, the ransomware will re-execute itself from the new path with the “-start” argument. If the “UAC prompt” option is set, it will try to run with elevated privileges.
If the “Melt” option is set, a self-deletion thread will be injected into a newly spawned notepad.exe process and the malware will exit with the code 0xDEADFACE. Otherwise, it will simply exit with code 0.
Like its predecessors, Zeppelin allows attackers to track the IP addresses and location of victims via the IPLogger web service. If the relevant option is set, the ransomware will try to check-in by sending a GET request to a hardcoded URL that was generated by using the IPLogger URL Shortener service. The User-Agent field id set to “ZEPPELIN” and the referrer field contains a unique victim ID, created during the key generation phase.
To prevent a victim from checking in more than once, a “Knock” value of 0x29A (666) is written under HKCU\Software\Zeppelin. If the value already exists, the malware will not try to contact the URL on subsequent runs.
Attackers can use the IPLogger web service to view a list of victims and use the shortened URL to redirect users to other malicious content.
When encrypting files, the ransomware will not append an extension and the file name will remain the same. It will, though, include a file marker called Zeppelin that may be surrounded by different symbols depending on the hex editor and character format the user is using.
For each file that doesn’t match the excluded files/extensions list, the malware will perform the following actions:
- Save the original file attributes and access times to memory and set FILE_ATTRIBUTE_ARCHIVE
- Prepend a "666" string to the plain text file
- Generate a random 32-byte AES symmetric key and 16-byte Initialization Vector (IV)
- Encrypt the file using AES-256 in CBC mode (only the first 0x10000 bytes, the rest of the file content remains unencrypted)
- Encrypt the AES key with the victim's public RSA key and then further obfuscate it with a randomly generated 32-byte RC4 key.
- Prepend a hardcoded marker string to the encrypted file, together with the 8-byte length of encrypted data and 8-byte length of original data.
- Append the following information after the encrypted file content.
- Rename the file to append the victim’s unique ID as an extension.
- Set the file attributes and access times back to original.
- Proceed to the next file.
If Zeppelin is running as an executable, the first instance of the ransomware will encrypt the files on the current logical drive and spawn a number of subsequent processes with the "-agent" parameter. These processes are responsible for encrypting files on other drives and network shares. All paths to encrypt are stored under the HKCU\Software\Zeppelin\Paths registry key.
Interestingly, some of the samples will encrypt only the first 0x1000 bytes (4KB), instead of 0x10000 (65KB). It might be either an unintended bug, or a conscious choice to speed up the encryption process while rendering most files unusable anyway.
While encrypting files, it will create ransom notes named !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT that contain information regarding what has happened to the victim's files. These notes will also contain email addresses that the victim can contact for payment instructions or to test decrypting one file for free.
The ransom note saids the following:
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: firstname.lastname@example.org and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email:email@example.com Reserved email: firstname.lastname@example.org Your personal ID: 236-15B-2D2 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.