CISA, FBI Warn Healthcare Sector of Zeppelin Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory to alert critical infrastructure to the dangers of Zeppelin ransomware.

The FBI and CISA have observed threat actors using Zeppelin ransomware from 2019 through at least June 2022 to wage attacks against defense contractors, educational institutions, technology companies, manufacturers, and especially healthcare organizations.

Zeppelin functions as a Ransomware-as-a-Service (RaaS) operation and is a derivative of the Delphi-based Vega malware family, the advisory explained. Threat actors typically use Zeppelin via remote desktop protocol (RDP) exploitation and phishing campaigns.

“Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups,” the advisory noted.

Zeppelin actors also have been known to exfiltrate sensitive data files prior to encryption and then publish those files if the victim refuses to pay the ransom.

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the federal agencies explained.

The FBI and CISA provided detailed indicators of compromise (IOCs) and technique details. The advisory also urged all potential victims to employ numerous mitigations to defend their networks and reduce the risk of compromise.

Recommended mitigation tactics include implementing a recovery plan, requiring multifactor authentication (MFA), and keeping all operating systems, software, and firmware up to date.

The advisory also provided a list of password-related best practices and encouraged organizations to adhere to the following National Institute for Standards and Technology (NIST) standards when developing password policies:

• Use longer passwords consisting of at least 8 characters and no more than 64 characters in length
• Store passwords in hashed format using industry-recognized password managers
• Add password user “salts” to shared login credentials
• Avoid reusing passwords
• Implement multiple failed login attempt account lockouts
• Disable password “hints”
• Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
• Require administrator credentials to install software.

The advisory also encouraged organizations to implement network segmentation, audit user accounts, disable unused ports, maintain offline backups of data, and implement time-based access for accounts at the admin level or higher.

The alert about Zeppelin ransomware arrived just a few weeks after CISA and the FBI warned critical infrastructure entities about Maui ransomware, another group that has favored healthcare organizations in its attacks.