Zeppelin Ransomware
El ransomware de Zeppelin fue descubierto en noviembre de 2019 por investigadores de seguridad cibernética de Cylance, operaba como Ransomware as a Service (RaaS) y hasta junio de 2022 el grupo atacó un rango amplio de organizaciones del sector educativo, manufactureras, compañías de tecnología, y sobre todo instituciones del sector salud. El grupo solía amenazar con ataques de doble extorsión, y solía pedir bitcoins como moneda del pago de rescate, el cual rondaba entre muchos miles de dólares hasta el millón. Este ransomware ha estado inactivo desde junio de 2022 debido a la fuerte investigación del FBI junto a CISA (Cybersecurity and Infrastructure Security Agency). Desde el 4 de enero de 2024, un ciberdelincuente que utiliza el nombre de ‘RET’ ha puesto en venta el código fuente del ransomware de Zeppelin en $500 dólares en un foro de hacking, lo cual ha despertado las alertas de todos los expertos de ciberseguridad. La venta del código de este ransomware es particularmente alarmante debido a sus sofisticadas técnicas de encriptación y a sus capacidades destructivas, además, podría ocasionar un aumento en los ataques de ransomware, ya que cualquier persona que adquiera el código fuente podría utilizarlo a su beneficio. En noviembre de 2022, el FBI y los investigadores de ciberseguridad descubrieron fallos explotables en el esquema de encriptación de Zeppelin, lo cual les permitió construir un descifrador para ayudar a las víctimas desde 2020.
Zeppelin ransomware ingresa a los sistemas de sus víctimas principalmente a través de campañas de phishing por correo electrónico y explotando vulnerabilidades en redes privadas o software desactualizado. Utiliza técnicas avanzadas como PowerShell, ejecución de comandos remotos y scripts maliciosos para infiltrarse y propagarse dentro de las redes. Otra táctica común es comprometer RDP (Remote Desktop Protocol) para acceder a sistemas vulnerables. Además, Zeppelin puede personalizar sus paylods para evitar la detección por software antivirus, lo que lo hace más peligroso y difícil de rastrear.
Una vez dentro del sistema, Zeppelin ransomware encripta archivos de datos utilizando el algoritmo AES-256, y exige un rescate a cambio de la clave de descifrado. Durante el proceso de encriptación, se renombran los archivos agregándoles un número aleatorio nueve dígitos en formato hexadecimal como extensión, por ejemplo: file.txt.txt.C59-E0C-929, y deja una nota de rescate en un archivo que se encuentra en todos los sistemas comprometidos, comúnmente en el escritorio.
Taxonomía de ataque con MITRE ATT&CK:
| Táctica | Técnica | ID |
| Initial Access | Exploit External Remote Services | T1133 |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Initial Access | Phishing | T1566 |
| Execution | Malicious Link | T1204.001 |
| Execution | Malicious File Attachment | T1204.002 |
| Persistence | Modify System Process | T1543.003 |
| Impact | Data Encrypted for Impact | T1486 |
Recomendaciones
- Mantener todos los sistemas y software actualizados para evitar vulnerabilidades.
- Tener filtros de correo electrónico y spam.
- Auditar herramientas de acceso remoto.
- Revisar logs para de ejecución de software de acceso remoto.
- Limitar estrictamente el uso de RDP.
- Concientizar a los empleados sobre los métodos de Phishing e Ingeniería social.
- Realizar copias de seguridad o backups constantemente, manteniéndolos en una ubicación segura.
- Revisar continuamente los privilegios de los usuarios.
- Tener una solución EDR bien configurada.
Indicadores de compromiso:
| Tipo | Indicador de compromiso |
| FileHash-SHA256 | 001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d |
| FileHash-SHA256 | 0056d5ff5181c5b8ddc8cc9f20e4ca648462b4c57dbd61ea77c1153277c410f1 |
| FileHash-SHA256 | 043ee940a148316462463082f482c1a5001040d18ec16c9b2d499b2ff2ee3374 |
| FileHash-SHA256 | 044e1a8f5b29bf9e62f4544f84ab96e70b18d8751fe74d164d4ba0724a324904 |
| FileHash-SHA256 | 04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722 |
| FileHash-SHA256 | 0a34f1c744ad2f55e9f4ac2e7a750985b0e6f4d238a56073c718d0838f9b7912 |
| FileHash-SHA256 | 0bfe0d2a7136864f0f1a49cfd71dd19b703b6e542f633a8735dde77c7ee5215b |
| FileHash-SHA256 | 0d22d3d637930e7c26a0f16513ec438243a8a01ea9c9d856acbcda61fcb7b499 |
| FileHash-SHA256 | 0ed326ed1576e2dc05bad014dc64df538a203f9a3ac48c91ae2018245e016f0d |
| FileHash-SHA256 | 0f52ed82c2bb968be3a6e159c7a119ae7721d0d7a686d501ae571a8976288162 |
| FileHash-SHA256 | 168e92dacb56fa5058cf8a75302783033af2845e5780cdf9d7710394fe132b46 |
| FileHash-SHA256 | 1e3c5a0aa079f8dfcc49cdca82891ab78d016a919d9810120b79c5deb332f388 |
| FileHash-SHA256 | 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d |
| FileHash-SHA256 | 22c782b3923d755531ce3af704233c5acbe0780031f518143f010d853dbd66b0 |
| FileHash-SHA256 | 24244997e0e3c538455044cd59d3b7f3234b87419c1c212bfc06dc94fe3e33df |
| FileHash-SHA256 | 26ec12b63c0e4e60d839aea592c4b5dcff853589b53626e1dbf8c656f4ee6c64 |
| FileHash-SHA256 | 2dffe3ba5c70af51ddf0ff5a322eba0746f3bf3ae0751beb3dc0059ed3faaf3d |
| FileHash-SHA256 | 2f188ec2723fa426316484e54c0862db24de80441c27c17181ce5ad5c7fbff57 |
| FileHash-SHA256 | 307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e |
| FileHash-SHA256 | 347f14497df4df73bc414f4e852c5490b12db991a4b3811712bac7476a3f1bc9 |
| FileHash-SHA256 | 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b |
| FileHash-SHA256 | 378fdad17c086d15991c94b1cdb1947f07f16d11596b526c172073a056a07311 |
| FileHash-SHA256 | 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e |
| FileHash-SHA256 | 37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08 |
| FileHash-SHA256 | 39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4 |
| FileHash-SHA256 | 42770c6589ccf83a6712aca6f9d990a0c24b664887d5f5dead5d5f123c7b7ef9 |
| FileHash-SHA256 | 442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024 |
| FileHash-SHA256 | 4440763b18d75a0f9de30b1c4c2aeb3f827bc4f5ea9dd1a2aebe7e5b23cfdf94 |
| FileHash-SHA256 | 45fba1ef399f41227ae4d14228253237b5eb464f56cab92c91a6a964dc790622 |
| FileHash-SHA256 | 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933 |
| FileHash-SHA256 | 4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf |
| FileHash-SHA256 | 4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080 |
| FileHash-SHA256 | 4c92122a43836e173d83202e02468dc866e7bc7fe6aaa4a4f778116475b9b503 |
| FileHash-SHA256 | 4f7f151c4baa92b192d53da2d3338b7111653ed4bd8e61f6e0696164068f7144 |
| FileHash-SHA256 | 51dcfc0bb4c166fdcbceabf884e0c779be87d88b336e7bdfc89ebdf6ea2f4b62 |
| FileHash-SHA256 | 5209a3609fd55893a688c550bb1beb00db4c0e88d32bbd32426ab3e9a94385f3 |
| FileHash-SHA256 | 523d5bb591baef8f67e25ef62de4bd12793a53d4dd488a62d269bc2bdf6c64e4 |
| FileHash-SHA256 | 5326f52bd9a7a52759fe2fde3407dc28e8c2caa33abf1c09c47b192a1c004c12 |
| FileHash-SHA256 | 54d567812eca7fc5f2ff566e7fb8a93618b6d2357ce71776238e0b94d55172b1 |
| FileHash-SHA256 | 55d55b41cee734ce84aa0bcca01a6cacc956c4d9f9bd4dec0ff0d7b528ecc50e |
| FileHash-SHA256 | 594df9c402abfdc3c838d871c3395ac047f256b2ac2fd6ff66b371252978348d |
| FileHash-SHA256 | 5ec7bc8bfa892ce6a127441003213eed8bb2ac230bce1fa1f51aff1fb7ac8e64 |
| FileHash-SHA256 | 606514a3f9dce96ea216ae2ca869c0c39b13364794025f497f5efddd46e90135 |
| FileHash-SHA256 | 614cb70659ef5bb2f641f09785adc4ab5873e0564a5303252d3c141a899253b2 |
| FileHash-SHA256 | 677035259ba8342f1a624fd09168c42017bdca9ebc0b39bf6c37852899331460 |
| FileHash-SHA256 | 69ca8fee69693c3806ca94e38e4ef362babf92f96a6c5c4ae39b4acef4d79883 |
| FileHash-SHA256 | 6a1280ecfa06bf36f01280f9eea722e9b2e5ce0ab75f5e30dc5a73eae4b9cfdc |
| FileHash-SHA256 | 6bafc7e2c7edc2167db187f50106e57b49d4a0e1b9269f1d8a40f824f2ccb42b |
| FileHash-SHA256 | 6e919961929f69c36744ae60ca1552b3cc77e7c430e6e48d9b7bca2e99644536 |
| FileHash-SHA256 | 6fbfc8319ed7996761b613c18c8cb6b92a1eaed1555dae6c6b8e2594ac5fa2b9 |
| FileHash-SHA256 | 722221b67746b206a42ca36f433566bea14b42c9fc7fdd772f42cdb30552b199 |
| FileHash-SHA256 | 7430d1dbf96b83426cfb859b8cdb2633489d08de8782c162de6c631978c61dea |
| FileHash-SHA256 | 746f0c02c832b079aec221c04d2a4eb790287f6d10d39b95595a7df4086f457f |
| FileHash-SHA256 | 774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279 |
| FileHash-SHA256 | 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c |
| FileHash-SHA256 | 7be32f7764079ba925ea88173a1059fb120a90b5f1d891e13969ce171c129b4b |
| FileHash-SHA256 | 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55 |
| FileHash-SHA256 | 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2 |
| FileHash-SHA256 | 81cca9486817c67cf50fa8b556bf590c365b62704df39b227950cfab00240b0e |
| FileHash-SHA256 | 85f9bf4d07bc2ac1891e367f077dd513d6ca07705bffd1b648d32a7b2dc396f5 |
| FileHash-SHA256 | 86aa6cd81464c4e7d4f098b4bcbb6173645c2a693fa5d6703dd032f5b8f70180 |
| FileHash-SHA256 | 894b03ed203cfa712a28ec472efec0ca9a55d6058115970fe7d1697a3ddb0072 |
| FileHash-SHA256 | 8c24f6a092ff4e154e2abdfbacdc42c70c6b91995506ff443a69f00220136a9d |
| FileHash-SHA256 | 8c5b49c4b01d6080935b57ced69b9c71fc386350f2b636d75df81e1ea763998c |
| FileHash-SHA256 | 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6 |
| FileHash-SHA256 | 8e20fa54fb3bc8e4572aa10d1e780a7cc97a7ba04115db081a2cd0365bbfaf77 |
| FileHash-SHA256 | 92ec095c7e11cec11f3a40096b9e10ba10ee6e5729ace159e18690934971e7f7 |
| FileHash-SHA256 | 931e3ec9d8765e3d79909c83ac87e3ff7ed58088d161d431c19951083d50f5b6 |
| FileHash-SHA256 | 961fbc7641f04f9fed8391c387f01d64435dda6af1164be58c4cb808b08cc910 |
| FileHash-SHA256 | 97b481e02d150b4575a520b1e68d1add76316f0d0b60b2d549f12b951a67e134 |
| FileHash-SHA256 | 9e9ccf9a8593aec7e3bfadf2dd7081f2849495bbc37e6a6f013884507537290b |
| FileHash-SHA256 | 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846 |
| FileHash-SHA256 | a2a9385cbbcfacc2d541f5bd92c38b0376b15002901b2fd1cc62859e161a8037 |
| FileHash-SHA256 | a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0 |
| FileHash-SHA256 | a42185d506e08160cb96c81801fbe173fb071f4a2f284830580541e057f4423b |
| FileHash-SHA256 | a5847867730e7849117c31cdae8bb0a25004635d49f366fbfaebce034d865d7d |
| FileHash-SHA256 | aa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe |
| FileHash-SHA256 | ab440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75 |
| FileHash-SHA256 | ac4f0a4c4c3c53e1ce700c0f0d44d8b4ec311846dc536e48a3e19f6079f9512e |
| FileHash-SHA256 | aeebc7003557be3edd2ecd638cb485e461efabca6f983bef7d2c32a9d5ee9d43 |
| FileHash-SHA256 | b191a004b6d8a706aba82a2d1052bcb7bed0c286a0a6e4e0c4723f073af52e7c |
| FileHash-SHA256 | b22b3625bcce7b010c0ee621434878c5f8d7691c2a101ae248dd221a70668ac0 |
| FileHash-SHA256 | bafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d |
| FileHash-SHA256 | bc214c74bdf6f6781f0de994750ba3c50c0e10d9db3483183bd47f5cef154509 |
| FileHash-SHA256 | c080d7228471422cbd230849cd523292b2b0553a3f347677ca66f3e502591eb1 |
| FileHash-SHA256 | c1beb2a1156565539b1fe59434d167d97e98a05298cfa0255de493471a2c0047 |
| FileHash-SHA256 | c3c1546d6f3b48eabcab82390b5628a2dd438b82989969dd1c1016c8f7366911 |
| FileHash-SHA256 | cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2 |
| FileHash-SHA256 | d2ff024a7b4a7cacc69146d36b5aa13b026cffc900737e131cefc81189a0b7dc |
| FileHash-SHA256 | d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c |
| FileHash-SHA256 | d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86 |
| FileHash-SHA256 | dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f |
| FileHash-SHA256 | e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7 |
| FileHash-SHA256 | e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878 |
| FileHash-SHA256 | e61edbddf9aed8a52e9be1165a0440f1b6e9943ae634148df0d0517a0cf2db13 |
| FileHash-SHA256 | e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9 |
| FileHash-SHA256 | ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b |
| FileHash-SHA256 | ef4f85e1ee0770c72e77e47316619482513b291dc09e148a35cd55a799659fe9 |
| FileHash-SHA256 | f2ad2b40a1ca4c337396cf8dd0528796c1e1657d8c76c441f459ac0e1dc60396 |
| FileHash-SHA256 | f3d4f1c1e35599b44207ecd23d06cd4f9947bcdf075756954dcd9dec83f72d0b |
| FileHash-SHA256 | f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d |
| FileHash-SHA256 | f88161d9a184f39f3b52c6374566bbaee17884d905e0fd3996db4f8e4cf79b21 |
| FileHash-SHA256 | faa79c796c27b11c4f007023e50509662eac4bca99a71b26a9122c260abfb3c6 |
| FileHash-SHA256 | fb3e0f1e6f53ffe680d66d2143f06eb6363897d374dc5dc63eb2f28188b8ad83 |
| FileHash-SHA256 | fb59f163a2372d09cd0fc75341d3972fdd3087d2d507961303656b1d791b17c6 |
| FileHash-SHA256 | fb6d9a5f1a2c3936c8a855219ceff2f8b9d533c7b19eed1c98ddfbfffaf8d039 |
| hostname | www.geodatatool.com |
| IPv4 | 158.69.65.151 |
| IPv4 | 88.99.66.31 |
| URL | http://iplogger.org/1H7Yt7.jpg |
| URL | http://iplogger.org/1HCne7.jpeg |
| URL | http://iplogger.org/1Hpee7.jpeg |
| URL | http://iplogger.org/1HVwe7.png |
| URL | http://iplogger.org/1syG87 |
| URL | http://iplogger.org/1wF9i7.jpeg |
| URL | https://www.geodatatool.com/ |
| domain | cock.li |
| domain | firemail.cc |
| domain | iplogger.org |
| domain | iplogger.ru |
| domain | ntdetect.com |
| domain | torbox3uiot6wchz.onion |
Referencias
- #StopRansomware: Zeppelin Ransomware | CISA. (2022, 11 agosto). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a
- Zeppelin Ransomware. (2022, septiembre). Ciberseguridad Eusko Jaurlaritza Gobierno Vasco. Recuperado 9 de enero de 2024, de https://www.ciberseguridad.eus/sites/default/files/2022-09/BCSC-Malware-Zeppelin-TLPClear%20_V1.pdf
- Toulas, B. (2024, 4 enero). Zeppelin ransomware source code sold for $500 on hacking Forum. BleepingComputer. Recuperado el 9 de enero de 2024 en: https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-source-code-sold-for-500-on-hacking-forum/
- Lapienyté, J. (2023, 15 noviembre). Zeppelin ransom gang executes malware multiple times within a victim’s network. CyberNews. Recuperado el 9 de enero de 2024 en: https://cybernews.com/news/zeppelin-ransom-gang-executes-malware-multiple-times-within-a-victims-network/
