Zeppelin ransomware, also known as Buran, has returned with updates according to the ransomware’s developers. Zeppelin is a Delphi-based Ransomware-as-as-Service (RasS) that is offered to users on Darknet forums for them to use against any victim companies that they wish. According to Advanced Intel, the developers behind Zeppelin revigorated their activity in March 2021. The group announced a major update to the software along with a new round of sales, coming with a $2,300 price tag. The group posted on underground forums that they provide individual configurations for their ransomware and are willing to work with any subscribers to agree on mutually beneficial terms. Zeppelin is a unique RaaS group in many ways and works to better its product through recommendations from other cybercrime groups. The group also does not utilize a leak site like many other ransomware operators and focuses on encrypting the data alone, instead of stealing and leaking it.
Though many ransomware groups now use leak sites to entice victims to pay a higher ransom because of fear of a data breach, Zeppelin has not yet adopted this idea. Best practices for detection and defense should be in place to stop this ransomware from causing major harm to corporate networks. Regularly backing up critical data and keeping copies of backups safely stored offline is important to recovery efforts if defenses fail. Recommended preventative measures include keeping software up to date with security patches, not exposing Remote Desktop Protocol (RDP) to the Internet, and continuously monitoring potential security events on endpoints such as employee workstations and servers. Security analysts should be on duty 24 hours a day, every day—either using employees or a security service provider such as Binary Defense’s Security Operations Task Force, monitoring endpoints for any abnormal behavior and isolating that behavior before it can spread across a network. The criminal groups that use Zeppelin ransomware typically rely on initial attack vectors such as RDP, unpatched VPN servers, and phishing. An audit of RDP and VPN services within an organization should be conducted to ensure they are configured properly and are not left open to the public. Training employees on how to spot phishing emails is another crucial step in defending against cyber attacks.