Security News > 2022 > August > Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics

Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries-particularly healthcare-as well as critical infrastructure organizations, the feds are warning.

Zeppelin also appears to have a new multi-encryption tactics, executing the malware more than once within a victim's network and creating different IDs and file extensions for multiple instances attack, according to the CISA. "This results in the victim needing several unique decryption keys," according to the advisory.

Zeppelin also appears to be using the common ransomware tactic of double extortion in its latest campaigns, exfiltrating sensitive data files from a target prior to encryption for potential publication online later if the victim refuses to pay, according to the CISA. Multiple Encryption.

Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.

The latest campaigns also show threat actors using a new tactic associated with Zeppelin to execute the malware multiple times within a victim's network, which means a victim would need not one but multiple decryption keys to unlock files, according to the CISA. However, this may or may not be a unique aspect of a ransomware attack, noted one security professional.

When the victim asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is paid, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes said.

News URL

https://threatpost.com/zeppelin-ransomware-resurfaces/180405/