The Zeppelin ransomware gang has joined the ranks of ransomware strains that will also collect and steal a victim’s data before encrypting files.
Zeppelin joins Maze, REvil (Sodinokibi), Snatch, and the now-defunct Merry Christmas ransomware in doing so.
The discovery that Zeppelin also steals victim data before the encryption process was made by cyber-security firm Morphisec while investigating and providing incident response services to a Zeppelin victim in the real estate sector.
“In this case, we have a threat actor using similar techniques like in the Wipro incident — targeting servers, stopping all database processes, copying the backup, and then deploying the ransomware, using all this with a legit IT remote tool,” Michael Gorelik, Morphisec CTO, said in an interview yesterday.
Gorelik told ZDNet that his company identified links to a server where crooks were sending the stolen database backups, “a data source that might indicate significant data breaches of some companies.”
The Morphisec CTO said they contacted authorities in regard to the breach and the data exfiltration server.
Morphisec’s in-depth report on this particular intrusion can be found on the company’s blog. The report and its findings are consistent with a Cylance report from last week, which first documented the Zeppelin ransomware, but not the data theft.
This is because the data theft takes place before the execution of the actual ransomware binary that encrypts the data. It is part of a recent trend in the ransomware scene.
The tactic is often referred to as “big game hunting ransomware.” This term refers to ransomware gangs that abandoned targeting home users and are now going after large enterprises.
The gangs breach a company’s infrastructure, move laterally through the network to gain access to as many computers as possible, and then run their ransomware to encrypt data and demand exorbitant ransom demands.
There’s a slew of ransomware strains that are being used in “big game hunting” intrusions. However, over the past month, there has been a shift in tactics.
As companies are slowly adopting a solid backup strategy, they have also started ignoring the ransom demands and rebuilding their networks from scratch, rather than paying the ransom.
Adapting to this trend, some ransomware gangs are now stealing data from infected networks.
Evidence of data theft and evidence of the use of data theft malware has been observed so far in infections with the Maze, REvil, and Snatch ransomware — and now Zeppelin.
It is believed that the stolen data is used to put pressure on victim companies to pay, rather than restore from backups.
However, over the past few weeks, another trend has been developing, where some of these ransomware gangs are threatening victims to leak data on the public internet if they don’t.
This pay-or-we-will-leak-your-data approach is currently being used by the Maze ransomware gang. They recently created a website on the public internet where they list all the victim companies who didn’t pay and have started leaking some of their data.
The operators of the REvil ransomware have also shown an interest in adopting a similar approach, albeit no case has been publicly documented as of yet.
For now, the Zeppelin gang has only been seen stealing victim data, but not making extortion demands to leak data if they’re not paid. Although, as the ransomware scene is evolving, this might change in the future as the tactic is adopted by more and more threat actors.