CISA Alert AA22-223A – #StopRansomware: Zeppelin Ransomware.

Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files.

AA22-223A Alert, Technical Details, and Mitigations

Zeppelin malware YARA signature

What is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent Infection

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.