Cybersecurity Advisory: Zeppelin Ransomware Targets Healthcare Orgs

Aug. 17, 2022
The FBI and CISA released a joint advisory on Aug. 11 regarding Zeppelin ransomware— a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service—that targets critical infrastructure, particularly healthcare and medical

On Aug. 11, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to broadcast the known Zeppelin ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21.

The advisory states that “Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS). From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

Further, “Zeppelin actors gain access to victim networks via RDP exploitation [T1133], exploiting SonicWall firewall vulnerabilities [T1190], and phishing campaigns [T1566]. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups [TA0007]. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

“Prior to encryption, Zeppelin actors exfiltrate [TA0010] sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929 [T1486]. A note file with a ransom note is left on compromised systems, frequently on the desktop.”

The statement notes that the FBI has observed cases where Zeppelin actors executed their malware several times within a victim’s network, resulting in the creation of different IDs or file extensions, for each attack. This maneuver results in the victim requiring several unique decryption keys.

To limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise from Zeppelin, the FBA and CISA recommend mitigations including:

  • Implementing a recovery plan to maintain and retain numerous copies of sensitive and/or propriety data and secured servers in a separate physical environment that are segmented
  • Requiring all accounts with password logins to comply with National Institute Standards and Technology standards
  • Requiring multifactor authentication, to the extent possible, for all services
  • Keeping all operating systems, software, and firmware up to date
  • Segmenting networks to prevent the spread of ransomware
  • Identifying, detecting, and investigating abnormal activity

The full list of mitigation tactics can be found in the advisory.

The statement concludes by saying that “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.”

Sponsored Recommendations

10 Reasons to Run Epic on Pure

Gain efficiency & add productivity to your Epic data center. Download now to learn more!

Payer Platform Services and Support

Let’s leverage Payer Platform for smooth, seamless operations.When tasks are important and need to be done right, you trust the experts. The same is true for your...

Pure Powers Progressive Payers

Increase your business agility with Pure’s digital payer platform.Legacy storage solutions cannot keep up with the ever-expanding initiatives in the payer market. To deploy...

Executive Handbook: Ten Transformative Trends 2024

The editors of Healthcare Innovation have published their annual Ten Transformative Trends ensemble of articles