The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned US organizations on Thursday that attackers deploying Zeppelin ransomware could encrypt their devices multiple times.
The two federal agencies also shared tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help security researchers detect and block attacks using this ransomware strain.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the agencies revealed in a joint advisory.
Zeppelin is a Ransomware as a Service (RaaS) operation that was first detected by the FBI on June 21. Its malware went through several name changes from VegaLocker, Buran, Jamper, to now Zeppelin.
Zeppelin affiliates have been active since 2019 and targeted businesses and critical infrastructure organizations like defense contractors and technology companies. They also have focused on entities from the healthcare and medical industries.
The threat actors are also known for stealing data for double extortion and making ransom requests in Bitcoin. Their initial ransom demands ranged from several thousand dollars to more than a million dollars.
Additionally, the FBI asked IT admins who detect any Zeppelin ransomware activity within their networks to collect and share any related information with their local FBI Field Office.
Important data that could assist in identifying the threat actors behind the ransomware attacks include “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
The FBI added that it advised against victims paying Zeppelin ransomware demands since there’s no guarantee that paying the ransom will prevent data leaks or future attacks.
Giving in to the attackers’ demands will instead motivate them to target more victims and encourage other cybercrime groups to join them in ransomware attacks, the agency added.
CISA and the FBI also advised organizations to take measures to defend against Zeppelin ransomware attacks, including:
- prioritizing patching vulnerabilities exploited in the wild,
- training their employees and users to recognize and report phishing attempts,
- enabling and enforcing multi-factor authentication.