Ransomware Recap: Snatch and Zeppelin Ransomware
Updated on December 12, 2019 at 6:01 PM PST to amend detection names for Snatch ransomware.
Two ransomware families – Snatch and Zeppelin – with noteworthy features were spotted this week. Snatch ransomware is capable of forcing Windows machines to reboot into Safe Mode. Zeppelin ransomware, on the other hand, was responsible for infecting healthcare and IT organizations across Europe and the U.S.
Snatch Ransomware Reboots PCs in Safe Mode to Evade Security
Snatch reboots infected machines into Safe Mode to bypass security software and encrypt files without being detected. It was designed to do this because security software often do not run in Windows Safe Mode, since it’s meant for debugging and recovering a corrupt operating system (OS).
Researchers at SophosLabs found that the ransomware operators use a Windows registry key to schedule a Windows service called SuperBackupMan, which can run in Safe Mode and cannot be stopped or paused. The malware even goes further by deleting all volume shadow copies on the system, thus preventing the forensic recovery of encrypted files.
Snatch ransomware, first discovered back in 2018, does not target home users or use mass distribution methods such as spam campaigns or browser-based exploits. Instead, the malware operators go after a small list of targets that include companies and government organizations. The operators were also found recruiting hackers on hacking forums and stealing information from target organizations.
Zeppelin Ransomware Targets Healthcare and IT Organizations in Europe and the US
Zeppelin, which is a new variant of the VegaLocker/Buran ransomware, was spotted (with compilation timestamps no earlier than November 6, 2019) infecting companies located in Europe and the U.S. through targeted installs. Reported by BlackBerry Cylance, the Zeppelin ransomware, also a ransomware-as-a-service (RaaS) family, was found being used to infect certain healthcare and IT companies.
Zeppelin ransomware appears to be highly configurable and can be deployed as a .dll or .exe file, or wrapped in a PowerShell loader. Aside from encrypting files, it also terminates various processes, including those associated with backup, database, and mail servers. Zeppelin executables were found wrapped in three layers of obfuscation. Its ransom notes range from generic messages to elaborate notes tailored to specific organizations. Notably, it appears Zeppelin ransomware is not being widely distributed — or at least not yet.
The researchers believe that Zeppelin, similar to Sodinokibi ransomware, is being spread through managed service providers (MSPs) to further affect customers. Moreover, the ransomware can also be distributed through malvertising operations and watering hole attacks.
How to Protect Against Ransomware
Aside from maintaining an up-to-date operating system to address exploitable vulnerabilities, users should adopt the standard best practice of backing up data via the 3-2-1 rule. Users can also consider deploying comprehensive, multilayered security solutions that will protect against ransomware attacks coming from different entry points. Here are other measures that users and organizations can implement to prevent ransomware attacks:
- Secure ports and services that are exposed on the internet
- Enable multifactor authentication to protect admin accounts from potential brute-force attacks
- Secure remote access tools as they can be used as entry points
- Employ the principle of least privilege and regularly monitor your network for threats
- Perform regular password audits for stronger access control
Trend Micro solutions such as the Smart Protection Suites and Worry-Free™ Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Indicators of Compromise (IoCs)
Snatch ransomware
SHA-256 | Trend Micro Predictive Machine Learning Detection |
Trend Micro Pattern Detection |
081fb13b0f7ee9750c2ea3ae037a29ec87a313b99a693027d42021cfda869fd8 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
c81b5271551d526d881bd5840256ea9168e3be0c13695a827195e3c56f524457 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
25e0cff6bb669ed31b8ddaf46807ed5bc74a6dac05151db291ac0b6a74a0a015 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win64.SNATCH.AB |
c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6 | Troj.Win32.TRX.XXPE50FFF033 | Ransom.Win32.SNATCH.B |
Zeppelin ransomware
SHA-256, malicious URLs, and email addresses | Trend Micro Pattern Detection |
04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722 | Ransom.Win32.ZEPPELIN.A |
39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4 | Ransom.Win32.ZEPPELIN.A |
4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf | Ransom.Win32.ZEPPELIN.A |
e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7 | Ransom.Win32.ZEPPELIN.A |
1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc | Ransom.Win32.ZEPPELIN.A |
d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86 | Ransom.Win32.ZEPPELIN.A |
hxxps://iplogger[.]org/1HVwe7[.]png | |
hxxps://iplogger[.]org/1HCne7[.]jpeg | |
hxxps://iplogger[.]org/1Hpee7[.]jpeg | |
hxxps://iplogger[.]org/1syG87 | |
hxxps://iplogger[.]org/1H7Yt7[.]jpg | |
hxxps://iplogger[.]org/1wF9i7[.]jpeg | |
bad_sysadmin@protonmail[.]com | |
Vsbb@firemail[.]cc | |
Vsbb@tutanota[.]com | |
buratino@firemail[.]cc | |
buratino2@tutanota[.]com | |
ran-unlock@protonmail[.]com | |
ranunlock@cock[.]li | |
buratin@torbox3uiot6wchz[.]onion |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.