CISA Cybersecurity Alerts 8.11.22
Ep 27 | 8.11.22

CISA Alert AA22-223A – #StopRansomware: Zeppelin Ransomware.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Two Three Alpha.

Original release date: August Eleventh, twenty twenty two.

The FBI and CISA are releasing this joint advisory to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as June 21st, 2022.

Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service. From 2019 through June 2022, cyber actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Prior to encryption, Zeppelin actors exfiltrate sensitive company data to sell or publish in the event the victim refuses to pay the ransom.

The alert documentation linked in the show notes includes indicators of compromise, a full MITRE ATT&CK mapping for this threat activity, recommended mitigation actions, and detection techniques for Zeppelin malware.

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These advisories include observed TTPs and IOCs to help organizations protect against ransomware. Visit to see all #StopRansomware advisories and to learn more about other ransomware threats and resources.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.