FBI, CISA warn over ransomware gang that can make million dollar demands

the-hands-of-a-computer-hacker-over-a-keyboard.jpg

Getty

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released details of the tactics of a ransomware group called Zeppelin which has been targeting large organizations in the US and Europe with huge ransom demands.     

Zeppelin emerged in late 2019 as a ransomware-as-a-service double-extortion operation and was previously called VegaLocker ransomware. It was known for targeting healthcare sector organizations  across Europe and North America. The agencies say the group has also targeted defense contractors, educational institutions, manufacturers, technology companies, but notes it has “especially” targeted organizations in the healthcare and medical industries. 

According to the joint advisory, Zeppelin actors have also compromised victim networks by exploiting remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing. The UK’s National Health Service (NHS) last year reported the group was using malicious macros in Word documents to spread the malware, but that may be less likely in future after Microsoft’s recent default block on untrusted VBA macros in Office.

Zeppelin actors are known to have demanded ransoms of several thousand dollars to in excess of $1 million. The advisory references Core Security’s research, which describes Zeppelin as a “well-organized” threat

The FBI has found attackers do indeed take extra care in laying the groundwork before and during ransomware deployments. For example, they spend up to two weeks mapping a network looking for cloud storage and network backups. Then the malware is deployed as a DLL or executable file contained within a PowerShell loader.

Zeppelin ensures victims need not just one but possibly several decryption keys and a network often ends up with machines tagged with multiple IDs. Once executed, each file is tagged with a randomized nine-digit hexadecimal number as a file extension that serves as a victim’s personal ID.  

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the advisory states. 

The FBI hopes to collect information from victims of Zeppelin actors. It encourages victims to report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file,” it said.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.