CISA and FBI Warn Against Ransomware Group Zeppelin

CISA and FBI warn against ransomware group Zeppelin

The cyber extortionists are active in the USA and Europe. They demand ransoms in the seven-figure range. When compromising networks, Zeppelin proceeds very carefully.

The US Cyber Security Administration (CISA) and the Federal Bureau of Investigation (FBI) are warning of a ransomware gang called Zeppelin. The cybercriminals are mainly targeting large companies in the USA and Europe. Also noticeable are high ransom demands of up to more than one million dollars.

The group’s activities can apparently be traced back to 2019. At that time, the ransomware was still called VegaLocker. According to the security alert, the cyber extortionists are primarily looking for their victims in the healthcare sector. However, they are also said to have attacked defence companies, educational institutions and technology firms.

The hackers compromise their victims’ networks via vulnerabilities in the Remote Desktop Protocol (RDP) and firewalls from SonicWall. To gain access, the Zeppelin group also relies on phishing. In the case of the British National Health Service, Word macros were also used to infiltrate malware, although Microsoft has since made this more difficult.

Zeppelin encrypts files multiple times

In their advisory, the two authorities also refer to an analysis by Core Security. According to this, the cyber extortionists proceed very carefully while infiltrating their ransomware. They are said to take up to two weeks to capture a network, including cloud storage and network backups. The actual malware is installed as a DLL or executable file via a PowerShell loader.

Zeppelin also ensures that victims need not one, but several keys to decrypt their data. A compromised computer often receives multiple IDs, with the extension of an encrypted file acting as the ID.

“The FBI has observed instances where Zeppelin actors have run their malware multiple times on a victim’s network, resulting in a different ID or file extension being created for each attack; this results in the victim needing multiple unique decryption keys,” the advisory said.

Zeppelin victims are encouraged by both agencies to report ransomware incidents to the FBI or CISA. The US Secret Service is also taking reports of ransomware attacks, according to the advisory. “The FBI is looking for any information that can be shared, including logs showing communications to and from foreign IP addresses, a pattern of ransomware, communications with Zeppelin actors, Bitcoin wallet information, decryption files, and/or a benign pattern of an encrypted file,” the agencies added.