Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint Cybersecurity Advisory (CSA) on Zeppelin ransomware, providing tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against this threat. Zeppelin ransomware is a spinoff of the Delphi-based Vega malware family and operates as a Ransomware as a Service (RaaS). From 2019 through at least June 2022, attackers have used this malware to target a wide range of businesses and critical infrastructure entities. According to the CSA, “Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves.” The advisory also includes mitigation recommendations to help defend against this activity.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.