The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a joint security advisory concerning the extensive attack on organizations in the healthcare and medical sectors by the Zeppelin ransomware-as-a-service (RaaS) operation.
Critical infrastructure organizations had been attacked using Zeppelin ransomware, a Vega malware variant, since 2019. The threat actors are found employing different vectors to obtain initial access to the network of victims, including exploiting Remote Desktop Protocol (RDP), vulnerabilities in SonicWall devices, vulnerabilities in Internet-facing programs, and phishing email messages. The phishing-associated attacks employ a mix of malicious hyperlinks and file attachments with malicious macros.
The threat actors normally devote approximately 1-2 weeks within victims’ networks prior to implementing the ransomware payload. At this period of time, they chart or identify networks of victims, determine data of interest, which includes backups and online storage providers and exfiltrate sensitive information. A ransom demand worth a few thousand dollars to over a million is then issued, typically in Bitcoin.
The FBI has noticed a number of attacks that executed the malware several times, meaning victims got several IDs and file extensions and demand a number of unique decryption keys to retrieve their files, which contributes to the difficulty of recovering from an attack.
FBI and CISA have provided Indicators of Compromise (IoCs) and Yara guidelines to assist system defenders to discover ongoing attacks and stop attacks prior to file encryption. Mitigations were likewise discussed to minimize the risk of compromise, including:
- Creating and managing password guidelines for all accounts according to the most recent specifications publicized by the National Institute for Standards and Technology (NIST)
- Creating a strong backup strategy for all information – Develop several backups of information and servers, keep those backups in different, segmented, and safe areas, encrypt backup copies, and check backups to ensure file recovery can be done
- Employing multifactor authentication with all services, particularly webmail, and accounts employed to gain access to critical systems.
- Make sure all software programs and firmware are updated
- Installing antivirus applications on all hosts and frequently updating the program
- Performing frequent reviews of all user accounts having administrator privileges
- Implementing the principle of least privilege
- Applying time-dependent controls for administrator-level accounts and greater
- Deactivating all ports that are not used
- Deactivating links in received email messages and putting a banner on all email messages coming from outside sources
- Turning off command-line and scripting actions and permissions to avoid lateral movement.
In case of a successful ransomware attack, the FBI motivates victims to provide the FBI with information, irrespective of whether they paid the ransom. Particularly, the FBI asks for boundary records that show conversations to and from international IP addresses, a sample ransom message, conversations with Zeppelin actors, Bitcoin wallet details, a benign sample of an encrypted document, and/or decryptor files.