Overview of of zeppelin ransomware

Zeppelin ransomware is targeting the healthcare sector with a new campaign that involves multi-encryption tactics. The threat actors behind the ransomware gain access to victims’ networks via RDP exploitation, SonicWall firewall vulnerabilities, and phishing campaigns.  

Prior to gaining access to their victim’s network, Zeppelins’ actors spend up to two weeks mapping or enumerating their victim’s network to identify data enclaves, such as cloud storage and backups. Additionally, Zeppelins’ actors exfiltrate sensitive data files to sell or publish prior to encryption. The exfiltrated data is used to blackmail the victim if they refuse to pay the demanded ransom. Also, the FBI has observed the malware being executed several times within a victim’s network, resulting in the victim needing several unique decryption keys.  

CISA and the FBI warned that Zeppelin ransomware is targeting critical infrastructure organizations as well as organizations within manufacturing, technology, defense, and education. Zeppelins’ operators are known to leave ransom notes on their victims’ systems, requesting ransom payments in Bitcoin. The ransom amounts range from thousands of dollars to over a million dollars. 

According to CISA, Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and operates as a Ransomware-as-a-Service (RaaS). Avertium recommends that you implement the suggested recommendations to reduce the impact of a ransomware incident from Zeppelin.  



How Avertium is Protecting Our Customers:

  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident. 
  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you will have no more blind spots, weak links, or fire drills. 
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, and threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement. 



Avertium's recommendations

The FBI, CISA, and Avertium recommend the following mitigations to reduce the risk of an attack by Zeppelin ransomware:  

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). 
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. 
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length 
    • Store passwords in hashed format using industry-recognized password managers 
    • Add password user “salts” to shared login credentials 
    • Avoid reusing passwords 
    • Implement multiple failed login attempt account lockouts 
    • Disable password “hints” 
    • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. 
    • Require administrator credentials to install software. 


  • 73627cbe2ba139e2ec26889a4e8d6284 
  • 7ab0676262c681b8ec15bdada17d7476 
  • bfe7f54f1f0640936dd7a3384608b1f6 
  • 1116dc35993fce8118e1e5421000a70b6777433f 
  • 2f1803d444891abb604864d476a8feac0d614f77 
  • 9436ccee41c01ca3cb4db55c10884615aba76d19 
  • 353e59e96cbf6ea6c16d06da5579d3815aaaeeefacabd7b35ba31f7b17207c5b 
  • 37efe10b04090995e2f3d9f932c3653b27a65fc76811fa583934a725d41a6b08 
  • 8170612574f914eec9e66902767b834432a75b1d6ae510f77546af2a291a48a2 
  • 17c5cae3bce5832dd42986fe612517d9 
  • 6f70e73c53d7622d8c4808ae7849133df1343484 
  • d618c1ccd24d29e911cd3e899a4df2625155297e80f4c5c1354bc2e79f70768c 
  • 0a1cd4efda7543cec406a6822418daf6 
  • 183b6b0c90c1e0276a2015752344a4cf 
  • 1da1c0115caca5ebf064380eb7490041 
  • 23eda650479fc4908d0ddff713508025 
  • 291de974e5cbe5e3d47e3d17487e027f 
  • 37f18b38e1af6533d93bbb3f2ddb86dc 
  • 450e5bf4b42691924d09267ac1a570cb 
  • 4534f2afe5f7df1d998f37ad4e35afeb 
  • 477eedb422041385e59a4fff72cb97c1 
  • 48b844494a746ca96c7b96d6bd90f45f 
  • 51104215a618a5f56ad9c884d6832f79 
  • 5841ef35aaff08bb03d25e5afe3856a2 
  • 6607d8c1a28d7538e2a6565cf40d1260 
  • 78621f1e196497d440afb57f4609fcf9 
  • 7a296f7c1ac4aeee18d4c23476735be7 
  • 7afe492a38ca6f27e24028aab68406b5 
  • 8c3c663ffcf363d087f4e114a79945ca 
  • 9349e1cc3de7c7f6893a21bd6c3c4a6b 
  • 935f54b6609c5339001579e96dc34244 
  • 981526650af8d6f8f20177a26abb513a 
  • 99d59c862a082b207a868e409ce2d97c 
  • 9c13ab7b79aec8dc02869999773cd4b2 
  • aa2048271f0aef3383480ce4a7c93b52 
  • b1f6370582fbaf5c51e826fecef53cd7 
  • ba681db97f283c2e784d9bb4969b1f5a 
  • bb30f050546f5d6e61fafc59eaf097c3 
  • bc6c991941d9afbd522fa0a2a248a97a 
  • c1ab7b68262b5ab31c45327e7138fd25 
  • c25d45e9bbfea29cb6d9ee0d9bf2864d 
  • c8f75487d0d496a3746e6c81a5ecc6dc 
  • caa7a669da39ffd8a3a4f3419018b363 
  • cf5a358a22326f09fd55983bb812b7d8 
  • d27125d534e398f1873b7f4835a79f09 
  • d6c4b253ab1d169cf312fec12cc9a28f 
  • d7d3d23a5e796be844af443bda5cd67e 
  • de785ed922d4e737dc0fa0bb30a4de8b 
  • e4f1f05c2e6c3fc2f3336a8c8799ffb4 
  • f28af04ef0370addfebfdd31f1ec25ed 
  • f3490951ae51922cb360a3d76a670159 
  • f3bcad5358f89df1eb0294ef53f54437 
  • f4e0ee0200de397691748a2cdcd7e34a 
  • f66b738e1bfe1f8aab510abed850c424 
  • f818938b987236cdd41195796b4c1fb5 
  • fba7180ad49d6a7f3c60c890e2784704 
  • 0f47c279fea1423c7a0e7bc967d9ff3fae7a0de8 
  • 1862f063c30cd02cfea6070d3dba41ac5eee2a35 
  • 1addcffae4fd4211ea24202783c2ffad6771aa34 
  • 1cb5e8132302b420af9b1e5f333c507d8b2a2441 
  • 44538b7f8f065e3cef0049089a8522a76a7fccc6 
  • 4b2d0127699f708a8116bff8f25c9d6140033197 
  • 4b4d865132329e0dd1d129e85fc4fa9ad0c1d206 

Note: For the complete list of IoCs, please click here 


Supporting documentation

#StopRansomware: Zeppelin Ransomware | CISA 

Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics | Threatpost 

Agencies advise action to protect against Zeppelin ransomware | AHA News 

Zeppelin Ransomware IoCs - AlienVault - Open Threat Exchange 





Related Reading: An In-Depth Look at Quantum Ransomware


Contact us for more information about Avertium’s managed security service capabilities. 

Chat With One of Our Experts

zeppelin ransomware healthcare Flash Notice Zeppelin Ransomware Blog