Ransomware Recap: Snatch and Zeppelin Ransomware

Updated on December 12, 2019 at 6:01 PM PST to amend detection names for Snatch ransomware.

Two ransomware families – Snatch and Zeppelin – with noteworthy features were spotted this week. Snatch ransomware is capable of forcing Windows machines to reboot into Safe Mode. Zeppelin ransomware, on the other hand, was responsible for infecting healthcare and IT organizations across Europe and the U.S.

Snatch Ransomware Reboots PCs in Safe Mode to Evade Security

Snatch reboots infected machines into Safe Mode to bypass security software and encrypt files without being detected. It was designed to do this because security software often do not run in Windows Safe Mode, since it’s meant for debugging and recovering a corrupt operating system (OS).

Researchers at SophosLabs found that the ransomware operators use a Windows registry key to schedule a Windows service called SuperBackupMan, which can run in Safe Mode and cannot be stopped or paused. The malware even goes further by deleting all volume shadow copies on the system, thus preventing the forensic recovery of encrypted files.

Snatch ransomware, first discovered back in 2018, does not target home users or use mass distribution methods such as spam campaigns or browser-based exploits. Instead, the malware operators go after a small list of targets that include companies and government organizations. The operators were also found recruiting hackers on hacking forums and stealing information from target organizations.

Zeppelin Ransomware Targets Healthcare and IT Organizations in Europe and the US

Zeppelin, which is a new variant of the VegaLocker/Buran ransomware, was spotted (with compilation timestamps no earlier than November 6, 2019) infecting companies located in Europe and the U.S. through targeted installs. Reported by BlackBerry Cylance, the Zeppelin ransomware, also a ransomware-as-a-service (RaaS) family, was found being used to infect certain healthcare and IT companies.

Zeppelin ransomware appears to be highly configurable and can be deployed as a .dll or .exe file, or wrapped in a PowerShell loader. Aside from encrypting files, it also terminates various processes, including those associated with backup, database, and mail servers. Zeppelin executables were found wrapped in three layers of obfuscation. Its ransom notes range from generic messages to elaborate notes tailored to specific organizations. Notably, it appears Zeppelin ransomware is not being widely distributed — or at least not yet.

The researchers believe that Zeppelin, similar to Sodinokibi ransomware, is being spread through managed service providers (MSPs) to further affect customers. Moreover, the ransomware can also be distributed through malvertising operations and watering hole attacks.

How to Protect Against Ransomware

Aside from maintaining an up-to-date operating system to address exploitable vulnerabilities, users should adopt the standard best practice of backing up data via the 3-2-1 rule. Users can also consider deploying comprehensive, multilayered security solutions that will protect against ransomware attacks coming from different entry points. Here are other measures that users and organizations can implement to prevent ransomware attacks:

  • Secure ports and services that are exposed on the internet
  • Enable multifactor authentication to protect admin accounts from potential brute-force attacks
  • Secure remote access tools as they can be used as entry points
  • Employ the principle of least privilege and regularly monitor your network for threats
  • Perform regular password audits for stronger access control

Trend Micro solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro XGen security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Indicators of Compromise (IoCs)

Snatch ransomware

SHA-256 Trend Micro
Predictive Machine
Learning Detection
Trend Micro Pattern Detection
081fb13b0f7ee9750c2ea3ae037a29ec87a313b99a693027d42021cfda869fd8 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
c81b5271551d526d881bd5840256ea9168e3be0c13695a827195e3c56f524457 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
25e0cff6bb669ed31b8ddaf46807ed5bc74a6dac05151db291ac0b6a74a0a015 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B
63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win64.SNATCH.AB
c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6 Troj.Win32.TRX.XXPE50FFF033 Ransom.Win32.SNATCH.B

Zeppelin ransomware

SHA-256, malicious URLs, and email addresses Trend Micro Pattern
04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722 Ransom.Win32.ZEPPELIN.A
39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4 Ransom.Win32.ZEPPELIN.A
4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf Ransom.Win32.ZEPPELIN.A
e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7 Ransom.Win32.ZEPPELIN.A
1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc Ransom.Win32.ZEPPELIN.A
d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86 Ransom.Win32.ZEPPELIN.A

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.