After not being seen for a while, Zeppelin ransomware is now back and was seen in August by researchers from Juniper Threatlab. Just like previous campaigns, this one starts with an email that includes a malicious Microsoft Word document which is loaded with malicious macros. If and when a target enables macros, the infection process will begin. Zeppelin is believed to have affected 64 victims during this recent campaign and Juniper researchers believe it could have started on June 4th when the C2 server was registered. The passive DNS data reveals that August 28th is the most recent showing of the name resolution for the C2 domain. Previously Zeppelin has been known as a more targeted ransomware with the first campaign aimed at tech and healthcare companies in the US and Europe.
Analyst Notes
Having secure backups of files stored offline is the first line of defense for to defending against ransomware. It’s also important to never open attachments if the sender is unknown–especially if the attachment asks to enable macros. The combination of anti-virus software with Endpoint Detection and Response (EDR) tools can help prevent or stop intrusions. An adequate monitoring system that fits the needs of an organization is also very important, this will allow businesses to get ahead of the infection and stop it before important files are compromised. At Binary Defense, our Security Operations Task Force analysts monitor endpoints for signs of intrusions and we alert our clients as soon as any suspicious activity is noticed.
Sources: https://threatpost.com/zeppelin-ransomware-returns-trojan/159092/?web_view=true
