FBI and CISA Warns Heathcare Organizations Of Zeppelin Ransomware

The Homeland Security’s Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation have issued a joint warning regarding the Zeppelin strain of ransomware. The alert, issued on August 11, warns healthcare organizations of the threat the ransomware poses and the steps organizations can take in order to mitigate threats to electronic healthcare data. 

The Zeppelin ransomware is a component of  Delphi-based Vega malware and operates as a Ransomware as a Service. Malicious actors have utilized the malware to gain access to the networks of various critical infrastructure organizations and businesses. These include educational institutions, manufacturers, technology companies, and particularly organizations within the healthcare industry. Once the malware is deployed, the malicious actors will request large sums of payments through cryptocurrencies ranging from a few thousand to millions. The Zeppelin ransomware gains access to systems through RDP exploitation, phishing campaigns, and SonicWall firewall vulnerabilities. According to the salert, actors will identify data enclaves such as network backups and cloud storage, and deploy the ransomware. Actors will then withdraw the network’s data files and sell or publish them to the media if the victim refuses to pay the requested amount. 

According to the FBI, there have been multiple cases where malicious actors will deploy the Zeppelin ransomware several times within a single network. This results in the development of various IDs or file extensions for each individual attack. In order to resolve the attack, the victim is required to implement multiple unique decryption codes. 

The CISA and FBI have advised organizations who can be subject to these attacks to implement several steps to mitigate the threat that Zeppelin ransomware poses. Organizations are recommended to develop a recovery plan to protect and receive multiple copies of important digital information and networks in a physically independent, secure location. Organizations should also require all accounts to incorporate stringent password logins that adhere to the NIST standards and to install software that requires multi factor authentication. 

The FBI has discouraged victims to pay the ransom to the hackers as payment does not guarantee the victim’ files to be recovered and may encourage hackers to attack further organizations.Organizations have been requested to immediately report ransomware incidents to the FBI, CISA, or the U.S. Secret Service.