The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on August 11 issued a Cybersecurity Advisory (CSA) on the Zeppelin ransomware threat as part of CISA’s #StopRansomware initiative.
The agencies explained that the Zeppelin ransomware threat comes from the Delphi-Based Vega malware family and functions as ransomware as a service (RaaS). Victims of these attacks will usually be shown a screen that states that their computers have been encrypted, and that a form of payment must be made in cryptocurrencies in order to decrypt their data.
“From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries,” the agencies said.
“Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars,” they said.
The ransomware gains access to the victim’s networks by exploiting various forms of vulnerabilities including firewall vulnerabilities and phishing exploits, and attacks have sometimes been orchestrated over weeks to map victims’ networks and data.
CISA and the FBI recommended a variety of actions to guard against the Zeppelin threat, including:
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location;
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies; and
- Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.