Chris Swagler | August 18th, 2022

As Capitol Hill leaders encourage the Department of Health and Human Services (HHS) to step up its efforts to defend hospitals and public health systems from cyberattacks, a joint Cybersecurity Advisory about the ransomware-as-a-service variant, Zeppelin, was released. The Zeppelin ransomware strain, which is targeting healthcare organizations, was mentioned in an alert from the Federal Bureau of Investigation (FBI) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on August 11. The alert includes the tactics, techniques, and procedures (TTPs) of the ransomware strain and recommendations for healthcare providers to help mitigate the risks of Zeppelin ransomware.

Federal officials explain that Zeppelin ransomware is a variation of the Delphi-based Vega malware family and operates as a Ransomware-as-a-Service (RaaS). From 2019 through June 2022, threat actors use the malware to target various companies and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and organizations in the healthcare and medical industries. Cybercriminals using the Zeppelin ransomware are seeking bitcoin ransom payments, with demands ranging from several thousand dollars to more than a million.

According to FBI and CISA officials, threat actors access victims’ networks using RDP exploitation, leveraging SonicWall firewall vulnerabilities, and phishing tactics. Actors map out or enumerate victims’ networks for one to two weeks before deploying Zeppelin ransomware to locate data enclaves, including cloud storage and network backups. Zeppelin actors can spread the ransomware using a .dll or .exe file or PowerShell loaders. Threat actors will steal data files before encryption to sell or publish in the event victims refuse to pay the ransom. When the variant is used, each encrypted file is appended with a random nine-digit hexadecimal number as a file extension. Compromised systems will have a note file with a ransom note on the desktop.

FBI officials stated that Zeppelin ransomware has been used in instances where it has been executed many times within victims’ networks, leading to developing various IDs or file extensions, for each instance of an attack and can lead to victims needing numerous unique decryption keys. Internal threat intelligence noted that it’s unclear whether the same files are mistakenly encrypted more than once (which would be rare, but not uncommon) or simply different files are encrypted independently (which is very common).

Most ransomware programs today include an overall master key that encrypts numerous additional keys that perform the encryption. The ransomware group will provide a single key to unlock a single set of files as “proof of life” when victims request evidence that the ransomware threat operators have decryption keys and the group’s software, or process will function if victims pay the ransom.

To reduce the risk of negative impacts from Zeppelin ransomware, FBI and CISA officials advise healthcare and other organizations to take reasonable precautions. Implementing a recovery plan is advised to maintain and retain numerous copies of critical data in a separate, segmented, and secure location. Any recovery plan needs to require all accounts with password-logins to adhere to NIST standards for creating and managing password policies, requiring administrator credentials to install software, and mandating multifactor authentication “for all services, including webmail, virtual private networks, and accounts with access to critical systems. The agencies advise disabling command-line and scripting activities and permissions because software utilities launched from the command-line are frequently necessary for privilege escalation and lateral movement. Threat actors won’t be able to escalate privileges or move laterally if they can’t run the tools.

In the last two years, ransomware attacks on the healthcare sector have risen as opportunistic cybercriminals realized that hospitals will quickly pay ransom demands to resolve problems and protect patients’ safety. Companies in the sector are vulnerable targets for both criminal and nation-state threat operators because of the abundance of personally identifiable information and personal health information. Additional concerns exist about industry partners lacking the robust and timely shared actionable threat information, and that HHS’ capabilities and resources need to be scaled up dramatically. There is an increasing call for current HHS authorities to improve cybersecurity across the sector.

A national advisor for cybersecurity and risk and the American Hospital Association (AHA) provided the organization’s viewpoint in a statement about the new Zeppelin ransomware advisory. According to the advisor, the group is stealing and threatening to publicly expose sensitive information, including patient information, payroll, human resources, and non-disclosure-protected information.

Even if victim organizations can restore encrypted files from backups independently, they still must deal with the potential for stolen information in the criminals’ possession being made public. Paying a ransom is strongly discouraged by both the AHA and the federal government. The alert and the comprehensive stopransomware website offer thorough instructions on how to protect systems from ransomware and avoid the ethical and legal quandary of “pay or not pay.”

With the recent warning from the FBI and CISA regarding the ransomware targeting healthcare industries, companies, including hospitals and public health systems, need to remain alert to the current threat landscape and regularly keep off-site data backups of sensitive information. At SpearTip, our network vulnerability assessments allow our engineers to identify, classify, and analyze known and potential vulnerabilities, and provide actionable solutions to eliminate any future ransomware threats like Zeppelin. With gap analysis, our engineers compare technology and internal personnel to discover blind spots in companies that can lead to potential compromises. Our ShadowSpear Threat Hunting evaluates the effectiveness of current technical controls and allows our Security Operations Center to hunt and identify ransomware threats to prevent breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.