FBI Warns U.S. Organizations Against the Wrath of Zeppelin


Level 5
Thread author
Aug 19, 2022
The CISA and the FBI have warned against ongoing Zeppelin ransomware attacks encrypting files multiple times. The recent warning is issued to U.S. organizations working in multiple sectors.

About the warning​

The agencies shared the TTPs and IOCs to help security admins identify and block ransomware attacks.
  • The FBI spotted the ransomware in June. It is operating as a RaaS and its malware has gone through multiple name changes from VegaLocker to Buran, Jamper, VegaLocker, and now Zeppelin.
  • In some cases, Zeppelin operators executed their malware multiple times, resulting in the creation of different IDs or file extensions, ensuring that the victim needed multiple unique decryption keys.

Zeppelin’s profile​

According to reports, affiliates of Zeppelin have been active since 2019, targeting businesses and critical infrastructures, such as defense contractors and technology firms, while eyeing entities from healthcare and medical sectors as well.
  • The attackers are known for stealing data for double extortion and ransom requests in Bitcoin, with starting demands ranging from thousands of dollars to more than a million dollars.
  • For infection, Zeppelin uses RDP exploitation, SonicWall firewall vulnerabilities, and phishing attacks.
  • Zeppelin is usually deployed as a .dll, .exe file or added inside PowerShell loader.

Suggestions by FBI​

  • The FBI urges IT admins who identified Zeppelin ransomware activity within their networks to collect and share any type of related information to their local FBI Field Office.
  • The FBI does not encourage paying ransom and advises victims against it. Even paying ransom has no certainty that attackers will stop future attacks or not leak data.


The agencies advise organizations to take measures to stay protected from Zeppelin ransomware. These measures include patching exploited vulnerabilities, training employees and users to identify and report phishing attempts, and enabling and implementing multi-factor authentication.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.