+1 206 446 0600 umv@merysolsecurity.com

New Ransomware targetting Healthcare industry

Attention HIPAA entities the FBI & CISA warn over ransomware gang that can make million dollar demands

ZDnet reports that CISA, the US Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation (FBI) have released details of the tactics of a ransomware group called Zeppelin which has been targeting large organizations in the US and Europe with huge ransom demands.

Zeppelin emerged in late 2019 as a ransomware-as-a-service double- extortion operation and was previously called VegaLocker ransomware. It was known for targeting healthcare sector organizations across Europe and North America. The agencies say the group has also targeted defense contractors, educational institutions, manufacturers, technology companies, but notes it has “especially” targeted organizations in the healthcare and medical industries.

According to the joint advisory, Zeppelin actors have also compromised victim networks by exploiting remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing. The UK’s National Health Service (NHS) last year reported the group was using malicious macros in Word documents to spread the malware, but that may be less likely in future after Microsoft’s recent default block on untrusted VBA macros in Office.

Zeppelin actors are known to have demanded ransoms of several thousand dollars to in excess of $1 million. The advisory references Core Security’s research, which describes Zeppelin as a “well-organized” threat. ^MThe FBI has found attackers do indeed take extra care in laying the groundwork before and during ransomware deployments. For example, they spend up to two weeks mapping a network looking for cloud storage and network backups. Then the malware is deployed as a DLL or executable file contained within a PowerShell loader.

Zeppelin ensures victims need not just one but possibly several decryption keys and a network often ends up with machines tagged with multiple IDs. Once executed, each file is tagged with a randomized nine-digit hexadecimal number as a file extension that serves as a victim’s personal ID.

“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys,” the advisory states. ^MThe FBI hopes to collect information from victims of Zeppelin actors. It encourages victims to report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.

These news are important to HIPAA entities in the US.   Merysol Security specializes in assisting companies regulated by HIPAA in becming less exposed to Ransomware and other cyber attacks.

You May Also Like …


Submit a Comment

Your email address will not be published. Required fields are marked *