The FBI and CISA recently issued a Cybersecurity Alert entitled “#StopRansomware: Zeppelin Ransomware” providing an alert to organizations about the proliferation of Zeppelin ransomware attacks and information on the indicators of compromise and techniques to combat them.

According to the Advisory, “From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the health care and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The Advisory explains how the ransomware is deployed:

“Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

“Prior to encryption, Zeppelin actors exfiltrate sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929. A note file with a ransom note is left on compromised systems, frequently on the desktop.”

What is particularly alarming is that the FBI has observed that the attackers execute the malware multiple times in the network, which “ results in the victim needing several unique decryption keys.” The Advisory lists in detail the indicators of compromise, which organizations may wish to review, as well as ways to detect and mitigate the risk of compromise. The Advisory can be accessed here.