FBI, CISA Urge Orgs to Be on the Lookout for Zeppelins (But Not the Fun Kind)

pcmag.com:

The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have published a joint advisory to help organizations defend against the Zeppelin ransomware-as-a-service as part of their #StopRansomware(Opens in a new window) effort.

"From 2019 through at least June 2022," the agencies say(Opens in a new window), "actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries."

Hackers using Zeppelin have demanded payments "ranging from several thousand dollars to over a million dollars" worth of Bitcoin, the FBI and CISA say. The attackers can also extort their victims by compromising "sensitive company data files" and threatening to leak them if the organization doesn't pay the ransom.

Zeppelin can also be deployed more than once. "The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network," the agencies say, "resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys."

BlackBerry reported(Opens in a new window) in 2019 that Zeppelin was related to the Vega ransomware family, but also quite different from its predecessors, especially in that it was "designed to quit if running on machines that are based in Russia and some other ex-USSR countries." Prior versions of the ransomware specifically targeted Russian speakers.

The company said this distinction, "as well as differences in victim selection and malware deployment methods, suggest that this