Flashpoint Hunt Team Insights into Zeppelin Ransomware

In less than a decade, ransomware has grown from a relatively unknown attack technique to a national security threat at the top of law enforcement, policy makers, and corporate board rooms. The large fortunes made by these extortion groups is attracting top-level technical talent, which exacerbates the challenge of dealing with this growing threat.

Making matters even more complex is the cybersecurity industry’s focus on reporting the newest threats and sensational ransomware trends without much context for defenders. Oftentimes this reporting is presented as short social media updates that create more concern. Even the longer form news stories do not often answer the questions those directly faced with the ransomware threats need to know.

At Flashpoint, we aim to create comprehensive reporting that answers complex questions from our clients, meaning oftentimes a deeper dive is required to uncover underlying trends. The most common questions Flashpoint analysts hear from the clients are:

• Does tracking the ransomware criminal groups provide certain insights into the geopolitical dimensions?
• How does this criminal activity fit into the government actions or inaction with regards to certain nations such as Russia, China, etc.?
• How feasible it is to try and break the encryption versus paying the ransom? What would happen if we do not pay ransom to this particular group?
• What are the trends in modern ransomware and what should we expect next?
• What risks are associated with interacting with illicit groups/people who may be on the OFAC sanctions list?

Based on these questions, the Flashpoint Hunt team has observed the following recent trends among ransomware cyber criminals: geopolitical association, RaaS ecosystem, extortionist trends, trends in common methods of assault, and victim responses.

The Flashpoint team has also observed that since threat actors need a platform to sell ransomware they usually operate on the encrypted chat services, and other covert channels where they constantly advertise new updated releases of the malware in order to stay competitive on the underground marketplace. This requires that the Hunt Team possess knowledge, skills, and technology required to embed themselves within these secretive online spaces and analyze heavily marketed new ransomware. From there, our team is able to assess the newest threats emerging from illicit communities, evaluate its scope and potential danger, while enabling customers to be proactive about managing risk.

One of the recent examples of deep dive work provided by The Hunt Team analysts was extensive analysis of Zeppelin ransomware. Zeppelin was one of the most sophisticated and, therefore, expensive ransomware builders put on the underground market. It was one of the first examples of a sophisticated ransomware builder for sale that did not require affiliation with the criminal group in order to operate the ransomware. Because of this, it is impractical to associate “Zeppelin” attacks with any group since their business model essentially made it a Ransomware-as-a-Franchise.

To learn more about Zeppelin origins and the full technical analysis, please download the report here.