The US authorities have warned that victims of a ransomware-as-a-service (RaaS) family may require multiple unique decryption keys to stand a chance of getting their data back.
The US Cybersecurity and Infrastructure Security Agency (CISA) said in a new alert that the Zeppelin variant has been around since at least 2019, with ransoms ranging from several thousand dollars to $1m+.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack,” the CISA added. “This results in the victim needing several unique decryption keys.”
Zeppelin, which is said to be derived from the Delphi-based Vega malware family, has targeted a wide range of organizations including those in the defense, education, manufacturing and technology sectors. However, its main targets have been in the healthcare and medical industries, according to CISA.
“Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities and phishing campaigns,” the alert noted.
“Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.”
In the phishing scenario, threat actors aim to trick users into clicking on a malicious link or opening a booby-trapped attachment in order to execute malicious macros, CISA said.
Like most ransomware actors today, Zeppelin affiliates also try to exfiltrate data before deploying their final payload and leaving a ransom note.
CISA listed a long line of recommended mitigations for Zeppelin, ranging from best practice password management and multi-factor authentication to regular patching, network segmentation, disabling unused ports and maintaining offline data backups.
Organizations should also disable command-line and scripting activities and permissions, follow an access policy of least privilege, and implement time-based access for accounts set at admin level and higher, it said.