How to Stop Zeppelin Ransomware Attacks: CISA, FBI Mitigation Guidance
Hackers have been using Zeppelin Ransomware to launch cyberattacks against businesses and critical infrastructure since at least 2019, according to a CISA and FBI warning issued today. The warning also included some timely mitigation guidance that MSPs and MSSPs can use to protect their own systems and end-customer networks.
Zeppelin ransomware is a relative of the Delphi-based Vega malware family, and leverages a Ransomware as a Service (RaaS) model, the warning noted. Attack targets — extending from 2019 through June 2022 — have included defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries, the warning noted.
The Zeppelin threat actors gain access to victim networks via RDP exploitation [T1133], exploiting SonicWall firewall vulnerabilities [T1190], and phishing campaigns [T1566], the CISA and FBI revealed. Ransomware demands — to be paid in Bitcoin — often range from several thousand dollars to over $1 million, the government agencies said.
How MSPs and MSSPs Can Defend Against Zeppelin Ransomware Attacks
To mitigate the risk of Zeppelin ransomware and similar attacks, MSPs and MSSPs can dig into this document from the CISA and FBI.
To further investigate the Zeppelin ransomware activities, the FBI is seeking:
- Boundary logs showing communication to and from foreign IP addresses;
- a sample ransom note;
- communications with Zeppelin actors;
- Bitcoin wallet information;
- decryptor files; and/or
- a benign sample of an encrypted file.
As per previous guidance, the FBI and CISA do not encourage paying ransom — since payment does not guarantee victim files will be recovered. Also, the FBI and CISA urge victims to promptly report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
CISA and FBI: Multiple Cybersecurity Warnings Mention MSPs
The CISA, FBI and UK authorities have repeatedly warned MSPs about inbound cyberattacks targeting service provider systems and down-stream customers. The latest joint warning, issued in May 2022, included 12 tips to help MSPs reduce ransomware cyberattack threat risks. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.