The Zeppelin Group is Making Us Ramble On About Ransomware
We apologize for the pun, but we couldn’t help ourselves.
When you go about your business and attempt to onboard a new client or implement a new tool for your company, you spend time getting to know what your business is doing and why. Well, a newly formed ransomware group will spend up to two weeks mapping your network before launching its attacks, making it a potent threat actor that you should keep an eye out for on your business network.
What is Zeppelin?
This threat actor, a ransomware group called Zeppelin, is notorious in the cyber threat landscape for demanding large ransoms from even larger businesses in the United States and Europe. The US Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint warning about the ransomware group.
Having been around since 2019, Zeppelin has launched attacks against businesses in the healthcare, manufacturing, defense, education, and technology sectors. It grew in notoriety for its ransomware-as-a-service offerings and its VegaLocker ransomware, and it has a penchant for targeting healthcare or medical organizations. Ransoms range from thousands of dollars to over a million dollars in some cases.
What Tactics are Being Used?
How is this group able to demand such high ransoms and get away with it? It’s all rooted in their tactics.
The FBI and CISA have found that Zeppelin is a well-organized threat that takes plenty of time to scope out their victims’ network before launching attacks. They take great care in laying the groundwork before they launch their ransomware attacks, looking into potential cloud services and backup solutions in place. After the attacks have been launched, victims are hit with multiple instances of the ransomware and could require several decryption keys to get back in action following the attack.
The joint advisory reads: “The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim's network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”
What Do You Do?
As always, we recommend that you do not pay the ransom under any circumstances, even if the situation seems dire and there is no way out. Paying the ransom only reinforces that ransomware as a threat works against companies like you, and by paying these hackers for the safe return of your data, you are effectively funding further attacks against other organizations just like yours.
Furthermore, there is no guarantee that you will get your data back just by paying the hacker, as it is quite common for ransomware victims to have difficulties with the encryption key following an infection and subsequent ransom payment. There are compliance issues involved too, and though you might feel strong-armed into making this decision, there are better approaches to ransomware that we urge you to consider.
Ransomware can be intimidating, but you should know that you have trusted allies on your side in the fight to protect your infrastructure. By contacting BlackCSI, you can protect your organization’s network, educate your employees, and have a valued resource for any and all of your cybersecurity troubles. We can help you properly address ransomware both before and during an attack so you can optimize your chances of recovering.
To learn more, reach out to us at (717) 620-3042.