Skip to content


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory detailing the actions of a newly detected ransomware dubbed ‘Zeppelin’.

The malware, which was recently first detected by the FBI in June 2022, has been seen encrypting files on victim devices multiple times, therefore requiring multiple decryption keys to regain access to the data. Additionally, the FBI warns that threat actors deploying Zeppelin ransomware will download data before encrypting it, going on to sell the data online or threaten to release it in the event a victim refuses to pay the ransom, as can be seen in their ransom note.

An example of the ransom note left by Zeppelin ransomware. Source:

Some of the notable ways threat actors deploying Zeppelin gained access to victim’s network was through phishing campaigns, exploiting vulnerabilities in public-facing systems (notably SonicWall firewall), and RDP exploitation. The FBI adds that threat actors will typically spend a few weeks mapping the victim network, specifically looking for cloud storage and backup systems

A full technical description, as well as indicators of compromise for this malware, can be found here.


Some of the best steps to take to stay protected against any ransomware include:

  • Ensuring that an updated antivirus is running on all work devices
  • Regularly creating multiple backups of all essential data
  • Consider the 3-2-1 rule when creating data backups: Have at least 3 copies, on 2 devices, with 1 offsite backup
  • If possible, ensure an administrator account must approve all new software – all other accounts should require permission before downloading new applications
  • Ensure backup methods cannot be edited by malware should ransomware get on your system
  • Keep all work devices and software regularly updated and on the latest operating system versions

The FBI has also released the indicators of compromise and attack techniques for this malware. If possible, consider setting up systems that can detect hashes and activity related to this attack.

As threat actors deploying this attack have been seen spending time looking around victim networks prior to deploying the ransomware, keep on the lookout for suspicious and unusual activity within your network. This may include connections from unusual IP addresses, multiple login attempts, and unusual changes to user accounts and system settings.

The FBI also specified that threat actors were specifically targeting SonicWall vulnerabilities. Should you use SonicWall firewall, check that your SonicWall systems are on the latest versions, and update as soon as possible if not.

Related Links: