- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Zeppelin Ransomware Victims May Need Multiple Decryption Keys
The US authorities have warned that victims of a ransomware-as-a-service (RaaS) family may require multiple unique decryption keys to stand a chance of getting their data back.
The US Cybersecurity and Infrastructure Security Agency (CISA) said in a new alert that the Zeppelin variant has been around since at least 2019, with ransoms ranging from several thousand dollars to $1m+.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack,” the CISA added. “This results in the victim needing several unique decryption keys.”
Zeppelin, which is said to be derived from the Delphi-based Vega malware family, has targeted a wide range of organizations including those in the defense, education, manufacturing and technology sectors. However, its main targets have been in the healthcare and medical industries, according to CISA.
“Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities and phishing campaigns,” the alert noted.
“Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.”
In the phishing scenario, threat actors aim to trick users into clicking on a malicious link or opening a booby-trapped attachment in order to execute malicious macros, CISA said.
Like most ransomware actors today, Zeppelin affiliates also try to exfiltrate data before deploying their final payload and leaving a ransom note.
CISA listed a long line of recommended mitigations for Zeppelin, ranging from best practice password management and multi-factor authentication to regular patching, network segmentation, disabling unused ports and maintaining offline data backups.
Organizations should also disable command-line and scripting activities and permissions, follow an access policy of least privilege, and implement time-based access for accounts set at admin level and higher, it said.