The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations today that attackers deploying Zeppelin ransomware might encrypt their files multiple times.
The two federal agencies also shared tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help security professionals detect and block attacks using this ransomware strain.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” a joint advisory published today revealed.
Detected by the FBI as recently as June 21, Zeppelin is a Ransomware as a Service (RaaS) operation whose malware went through several name changes from VegaLocker to Buran, VegaLocker, Jamper, and now Zeppelin.
Zeppelin affiliates have been active since at least 2019, targeting businesses and critical infrastructure organizations such as defense contractors and technology companies, with a focus on entities from the healthcare and medical industries.
They are also known for stealing data for double extortion and making ransom requests in Bitcoin, with the initial demands ranging from several thousand dollars to more than a million dollars.
Request for info linked to Zeppelin ransomware attacks
The FBI also asked [PDF] IT admins who detect Zeppelin ransomware activity within their enterprise networks to collect and share any related information with their local FBI Field Office.
Valuable data that can help identify the attackers behind this ransomware gang includes “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
The FBI added that it does not encourage paying Zeppelin ransom demands and advised victims against it since they’ll have no guarantee that paying the ransom will prevent data leaks or future attacks.
Instead, giving into their demands will likely motivate the attackers to target more victims and incentivize other cybercrime groups to join them in ransomware attacks.
CISA and the FBI also advised organizations to take measures to defend against Zeppelin ransomware attacks, such as:
prioritizing patching vulnerabilities exploited in the wild,
training their employees and users to recognize and report phishing attempts,
enabling and enforcing multi-factor authentication.