An example of a ransom note from threat actors using the Zeppelin ransomware. (CISA)The FBI has identified the Zeppelin ransomware and its variants being used in attacks as recently as June 21 and, along with the Cybersecurity and Infrastructure Security Agency, is informing organizations of the signs associated with the Delphi-based Vega malware family in a joint alert released Thursday.Threat actors have used Zeppelin since 2019 as ransomware-as-a-service (RaaS) to target a wide range of organizations, including defense contractors, educational institutions, manufacturers, tech companies, and especially healthcare and the medical industries, according to the alert.The bad actors gain access to networks a variety of ways, including RDP exploitation, SonicWall firewall vulnerabilities and phishing campaigns, and spend one to two weeks mapping the network before deploying the ransomware.
See the alert here for details of the indications of compromise (IoCs) and tactics, techniques and procedures (TTPs).
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.
Initial access broker ToyMaker has been providing Cactus ransomware gang and other double extortion threat operations access to compromised systems, The Hacker News reports.
BleepingComputer reports that the Baltimore City Public Schools was confirmed by the Maryland Office of the Attorney General to have had more than 31,000 individuals' data stolen following a February intrusion associated with the Cloak ransomware gang.