On Thursday 11th of August 2022, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE cybersecurity advisory which revealed threat actors have been using the Zeppelin ransomware from 2019 through to at least June 2022 where a wide range of businesses and critical infrastructure organisations have been targeted, including defence contractors, educational institutions, manufacturers, technology companies, and especially organisations in the healthcare and medical industries. Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS) where victims of the ransomware have been requested to pay the ransoms in Bitcoin. It has been observed that the initial amounts for ransoms can range from several thousand dollars to over a million dollars.
This joint cybersecurity advisory was released in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) to provide key cyber threat information to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. The advisory also revealed that the FBI have observed incidents where threat actors have executed the Zeppelin ransomware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each incident of an attack; this results in the victim needing several unique decryption keys.
In the alert, the FBI asked for any information related to the Zeppelin ransomware to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”