Zeppelin ransom gang executes malware multiple times within a victim’s network

Updated on: 12 August 2022

Jurgita Lapienytė
Chief Editor

Ransomware concept — Image by Shutterstock

Threat actors using Zeppelin request ransom in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory to disseminate Zeppelin ransomware.

Threat actors have been observed using this ransomware-as-a-service (RaaS) from 2019 through at least June 2022. Criminals have targeted a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.

Criminals leave a ransom note on compromised systems, frequently on the desktop:

Zeppelin ransom note — Image by CISA and the FBI

“Zeppelin actors gain access to victim networks via RDP (remote desktop protocol) exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups,” the advisory reads.

As is typical with ransomware gangs, Zeppelin exfiltrates sensitive corporate data with the intent to make it accessible to buyers or the general public in case the victim refuses to succumb to its demands.

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the advisory said.