Zeppelin ransomware is targeting the healthcare sector with a new campaign that involves multi-encryption tactics. The threat actors behind the ransomware gain access to victims’ networks via RDP exploitation, SonicWall firewall vulnerabilities, and phishing campaigns.
Prior to gaining access to their victim’s network, Zeppelins’ actors spend up to two weeks mapping or enumerating their victim’s network to identify data enclaves, such as cloud storage and backups. Additionally, Zeppelins’ actors exfiltrate sensitive data files to sell or publish prior to encryption. The exfiltrated data is used to blackmail the victim if they refuse to pay the demanded ransom. Also, the FBI has observed the malware being executed several times within a victim’s network, resulting in the victim needing several unique decryption keys.
CISA and the FBI warned that Zeppelin ransomware is targeting critical infrastructure organizations as well as organizations within manufacturing, technology, defense, and education. Zeppelins’ operators are known to leave ransom notes on their victims’ systems, requesting ransom payments in Bitcoin. The ransom amounts range from thousands of dollars to over a million dollars.
According to CISA, Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and operates as a Ransomware-as-a-Service (RaaS). Avertium recommends that you implement the suggested recommendations to reduce the impact of a ransomware incident from Zeppelin.
The FBI, CISA, and Avertium recommend the following mitigations to reduce the risk of an attack by Zeppelin ransomware:
INDICATOR'S OF COMPROMISE (IOCS):
Note: For the complete list of IoCs, please click here.
Related Reading: An In-Depth Look at Quantum Ransomware