CISA and FBI Warn on Zeppelin Ransomware 

Federal agencies warn on tactics, techniques, and procedures used by Zeppelin ransomware actors

First spotted in 2019, Zeppelin ransomware has been used to attract a wide range of businesses and critical infrastructure organizations. The main targets include defense contractors, colleges and universities, manufacturers, tech companies, and healthcare organizations.

Zeppelin attacks declined for several months but heightened in late 2020. Currently, we witness the increase in Zeppelin attacks due to sophisticated codes used in the ransomware. The attackers use new downloader parts, so the ransomware is poorly detectable by legacy anti-virus applications. At the time of the first attack, almost 30% of antivirus software couldn’t catch this ransomware threat. 

What is Zeppelin Ransomware?

Zeppelin is a form of Ransome-as-a-Service (RaaS), meaning that the ransomware authors provide the software to the “affiliates”, or simply customers, who then use it to hold the captured data hostage. For more information about how this scheme works, read our previous article The State of Ransomware in 2022. Thus, Zeppelin is a simple piece of code (Vega malicious code, to be precise) spread by affiliates. The ransomware developers offer the code to the affiliates in exchange for a revenue share and are designed to lure users into enabling Visual Basic Application (VBA) macros that trigger the infection process. Zeppelin attacks often start as phishing with Microsoft Word attachments labeled as medical invoices. If followed, it allows the hidden malicious macros to infect the computer. 

The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks and pinpoint data of interest, including backups and cloud storage services. Finally, they exfiltrate sensitive data. Ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.

Zeppelin Alarm Sounded on Highest Level 

The proliferation of Zeppelin provoked heightened attention from governmental bodies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin RaaS operations. This alert is part of an ongoing #StopRansomware effort to publish advisories regarding various ransomware variants and threat actors. 

The alert provides a description of the main Zeppelin’s characteristics and states that attackers have used a variety of vectors to gain initial access to victims’ networks. The threat actors exploit Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks – that are the most commonly used – use a combination of malicious links and attachments containing malicious macros.

FBI has also highlighted the specificity of the Zeppelin ransomware. Specialists observed several attacks where data was encrypted several times using different encryption keys. Such an operation scheme adds to the complexity of recovery from an attack. Therefore, the joint CIA and FBI alert is timely and reasonable.

Indicators of Compromise and Rules to Identify Zeppelin Attack

CISA and the FBI have shared Indicators of Compromise (IoCs) and rules in their alert to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, and some of these mitigation points we are sharing below. 

  • Implement a recovery plan to maintain and keep multiple copies of sensitive or proprietary data in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Develop and manage strong password policies for all accounts following the latest NIST standards, particularly, NIST SP 800-63B.  
  • Implementing multifactor authentication (MFA) for all services, especially mail, VPNs, and sensitive accounts used to access critical systems. We wrote about the importance of the MFA as a countermeasure to password-based vulnerabilities in our article Reinforcing the Weakest Security Link with Access Controls.
  • Keep all systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching SonicWall firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems. 
  • Segment networks to prevent the spread of ransomware. This would help to control traffic flows between—and access to—various subnetworks and by limiting adversaries from accessing sidewards.  
  • Install, update, and enable real-time detection for antivirus software on all hosts.
  • Conducting regular audits of all user account with admin privileges.
  • Implementing time-based controls for admin-level accounts and higher.

Requested Information on Zeppelin Attack Cases

If a ransomware attack happened, victims should share information with the FBI, regardless of whether the ransom is paid or not. Specifically, the FBI can request boundary logs showing any contacts with foreign IP addresses, a sample ransom note, contacts with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. These data would not only help to track the frequency and intensity of Zeppelin attacks but also help identify the attackers behind the Zeppelin ransomware gang.

The CIA and FBI do not encourage paying Zeppelin ransom demands since they’ll have no guarantee that paying the ransom will prevent data leaks or future attacks. Instead, getting the ransom money will likely inspire the attackers to target more victims and motivate other cybercrime groups to join them in ransomware attacks.

We remind you that the duty to report ransomware cases is already incorporated in some of the state and industry-specific data protection regulations. For instance, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as of March 2022, contains the provision for obligatory reporting of ransomware attacks. Read more about these provisions in our article CIRCIA: Cyber Incident Reporting For Critical Infrastructure.

Ransomware attack methods are continually evolving. Take steps now to ensure you are ready to address the ransomware threats, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!



Phone:  888-437-3646

Leave a Reply