Zeppelin Is Back! Ransomware Stealing Data Via Remote Management Software
Hackers are employing remote management software to steal data and exploit networks only to install “Zeppelin” ransomware on compromised devices.
Reportedly, “ConnectWise” is the name of the software that fabricates agents that are installed on target computers. Once the agent kicks off, the device appears on the ConnectWise Control Site management software.
“ConnectWise” is a remote management software generally employed by MSPs and IP professionals to acquire access and render support to remote devices.
The ransomware Zeppelin was recently per reports spread via “ScreenConnect” which is a desktop control tool basically in charge of remotely executing commands on a user’s device and managing it.
The ScreenConnect client was installed on a compromised station leading to a massive real estate company’s network being jeopardized.
The client that is named, ScreenConnect.ClientService.exe would run in the background undetected waiting all the while for a “remote management connection”.
The software was then used to execute numerous commands that harvest data from back-up systems and install malware, Trojans capable of stealing data, other exploitation tools to make the network more vulnerable and finally the Zeppelin ransomware to infect machines.
The attack starts with the execution of the CMD script that readies the device for the ransomware installation. A “registry file” is installed which “configures the public encryption key”, which is then used by the ransomware to disable Windows defender by deactivating several security mechanisms.
Per reports, the hacker would execute a PowerShell command that downloads the Zeppelin ransomware in form of a file by the name of “oxfordnew.exe or oxford.exe on the C drive of Windows in the “Temp folder” section.
In most cases, such ransomware attacks are employed by firstly hacking the MSP and then configuring the remote management software to wreak havoc.
Instead, here, the hackers themselves deployed the ScreenConnect software only to have complete control over the situation and making as much trouble as possible.
Ransomware is being used at high rates where repeated incidents of stealing data are coming in light. The hackers use the stolen data as a weight to get people to pay in exchange for it.
Zeppelin, Maze, and REvil are leading names in the ransomware market.