The FBI and CISA released a warning late last week on the resurgence of Zeppelin ransomware seen in the wild with new observed tactics. Zeppelin is being used as ransomware as a service (RaaS) and is taking advantage of remote desktop protocols and firewall vulnerabilities to breach business networks alongside traditional phishing tactics. According to the advisory released Thursday, Zeppelin attackers have used the malware multiple times within a single network, which creates numerous attack instances and requires multiple unique decryption keys to unlock all of the data.
The report cites business sectors attacked, “…actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.”
Attackers spent one to two weeks mapping the network, cloud storage, and backups after successfully infiltrating the network. The report cites Zeppelin threat actors using double extortion tactics by threatening to release or sell the data they exfiltrate if the business recovers from backups and refuses to pay the ransom. Zeppelin attackers request payment in Bitcoin from several thousand dollars to more than $1 million. After data is exfiltrated and corrupted, threat actors typically leave a note on the desktop with instructions on the next steps. Below is an example of a ransom note from CISA:
This notification was part of CISA’s #stopransomware campaign, a one-stop resource for ransomware news, alerts, response, and services. The site ranges from very technical to simple steps a business should take to limit its vulnerability.
The alert also goes into detail on a long list of mitigations the FBI and CISA recommend, including MFA, network segmentation, and backup encryption. Click here to read the report and the complete list of mitigations.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.