The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have published a joint advisory to help organizations defend against the Zeppelin ransomware-as-a-service as part of their #StopRansomware(Opens in a new window) effort.
“From 2019 through at least June 2022,” the agencies say(Opens in a new window), “actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.”
Hackers using Zeppelin have demanded payments “ranging from several thousand dollars to over a million dollars” worth of Bitcoin, the FBI and CISA say. The attackers can also extort their victims by compromising “sensitive company data files” and threatening to leak them if the organization doesn’t pay the ransom.
Zeppelin can also be deployed more than once. “The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network,” the agencies say, “resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”
BlackBerry reported(Opens in a new window) in 2019 that Zeppelin was related to the Vega ransomware family, but also quite different from its predecessors, especially in that it was “designed to quit if running on machines that are based in Russia and some other ex-USSR countries.” Prior versions of the ransomware specifically targeted Russian speakers.
Recommended by Our Editors
The company said this distinction, “as well as differences in victim selection and malware deployment methods, suggest that this new variant of Vega ransomware ended up in the hands of different threat actors—either used by them as a service, or redeveloped from bought/stolen/leaked sources.” This advisory backs up that initial report.
The FBI and CISA published known indicators of compromise as well as the tactics, techniques, and procedures associated with Zeppelin in their joint advisory, which also includes the agencies’ recommendations for organizations looking to defend their networks against this particular strain of ransomware.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0