You're listening to the CyberWire Network, powered by N2K.

This is a SISA Cybersecurity Alert.

ID number Alpha Alpha 22 TAC 223 Alpha.

Original release releasing this joint advisory to disseminate known Zeppelin Ransom

Ransomware IOCs and TTPs associated with ransomware

variants identified through FBI investigations as

recently as June 21st, 2022. Zeppelin Ransomware is a derivative of the Delphi-based Vega Malware

family and functions as a ransomware as a service.

From 2019 through June 2022, cyber actors have used this malware to target a wider range of businesses

and critical infrastructure organizations, including defense contractors, educational institutions,

manufacturers, technology companies, and organizations in the health care and

medical industries.

Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts

ranging from several thousand dollars to over a million dollars.

Zeppelin actors gain access to victim networks via RDP exploitation, exploiting

Sonic Wall firewall vulnerabilities, and fishing campaigns.

Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping the victim network to identify data enclaves, including cloud storage and network backups.

Zeppelin actors can deploy Zeppelin ransomware as a dot DLL or dot-E-X-E file or contained within a

power shell loader. Prior to encryption, Zeppelin actors exfiltrate sensitive company data to sell or publish in the event the victim refuses to pay the ransom.

The alert documentation linked in the show notes includes indicators of compromise, a full mitre attack mapping for this threat activity, recommended mitigation actions, and detection techniques for Zeppelin malware.

This joint Cyber cybersecurity advisory is part of an ongoing hashtag stop ransomware effort

to publish advisories for network defenders that detail various ransomware variants and

...