The CISA and the FBI have warned against ongoing Zeppelin ransomware attacks encrypting files multiple times. The recent warning is issued to U.S. organizations working in multiple sectors.
About the warningThe agencies shared the TTPs and IOCs to help security admins identify and block ransomware attacks.
- The FBI spotted the ransomware in June. It is operating as a RaaS and its malware has gone through multiple name changes from VegaLocker to Buran, Jamper, VegaLocker, and now Zeppelin.
- In some cases, Zeppelin operators executed their malware multiple times, resulting in the creation of different IDs or file extensions, ensuring that the victim needed multiple unique decryption keys.
Zeppelin’s profileAccording to reports, affiliates of Zeppelin have been active since 2019, targeting businesses and critical infrastructures, such as defense contractors and technology firms, while eyeing entities from healthcare and medical sectors as well.
- The attackers are known for stealing data for double extortion and ransom requests in Bitcoin, with starting demands ranging from thousands of dollars to more than a million dollars.
- For infection, Zeppelin uses RDP exploitation, SonicWall firewall vulnerabilities, and phishing attacks.
- Zeppelin is usually deployed as a .dll, .exe file or added inside PowerShell loader.
Suggestions by FBI
- The FBI urges IT admins who identified Zeppelin ransomware activity within their networks to collect and share any type of related information to their local FBI Field Office.
- The FBI does not encourage paying ransom and advises victims against it. Even paying ransom has no certainty that attackers will stop future attacks or not leak data.
RecommendationsThe agencies advise organizations to take measures to stay protected from Zeppelin ransomware. These measures include patching exploited vulnerabilities, training employees and users to identify and report phishing attempts, and enabling and implementing multi-factor authentication.