CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin ransomware-as-a-service (RaaS) operation, which has extensively targeted organizations in the healthcare and medical industries.
Zeppelin ransomware, a variant of Vega malware, has been used in attacks on critical infrastructure organizations since 2019. The threat actors have been observed using a variety of vectors to gain initial access to victims’ networks, especially the exploitation of Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks use a combination of malicious links and attachments containing malicious macros.
The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks, identify data of interest, including backups and cloud storage services, and exfiltrate sensitive data. A ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.
The FBI has observed several attacks where the malware has been executed multiple times, which means victims have multiple IDs and file extensions and require several different decryption keys to recover their files, which adds to the complexity of recovery from an attack.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
CISA and the FBI have shared Indicators of Compromise (IoCs) and Yara rules to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, which include:
- Developing and managing password policies for all accounts in accordance with the latest standards published by the National Institute for Standards and Technology (NIST)
- Developing a robust backup plan for all data – Create multiple backups of data and servers, store those backups in separate, segmented, and secure locations, encrypt backups, and test backups to make sure file recovery is possible
- Implementing multifactor authentication for all services, especially webmail, VPNs, and accounts used to access critical systems.
- Ensuring all software and firmware are kept up to date
- Installing antivirus software on all hosts and regularly updating the software
- Conducting regular audits of all user accounts with admin privileges
- Applying the principle of least privilege
- Implementing time-based controls for admin-level accounts and higher
- Disabling all unused ports
- Disabling hyperlinks in received emails and adding a banner to all emails from external sources
- Disabling command-line and scripting activities and permissions to prevent lateral movement.
In the event of a successful attack, the FBI encourages victims to share information with the FBI, regardless of whether the ransom is paid. Specifically, the FBI requests boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.