Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
FBI Warns of Zeppelin Ransomware Gangs Encrypting Files Multiple Times
Description:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory detailing the actions of a newly detected ransomware dubbed ‘Zeppelin’.
The malware, which was recently first detected by the FBI in June 2022, has been seen encrypting files on victim devices multiple times, therefore requiring multiple decryption keys to regain access to the data. Additionally, the FBI warns that threat actors deploying Zeppelin ransomware will download data before encrypting it, going on to sell the data online or threaten to release it in the event a victim refuses to pay the ransom, as can be seen in their ransom note.
Some of the notable ways threat actors deploying Zeppelin gained access to victim’s network was through phishing campaigns, exploiting vulnerabilities in public-facing systems (notably SonicWall firewall), and RDP exploitation. The FBI adds that threat actors will typically spend a few weeks mapping the victim network, specifically looking for cloud storage and backup systems
A full technical description, as well as indicators of compromise for this malware, can be found here.
Preventions:
Some of the best steps to take to stay protected against any ransomware include:
- Ensuring that an updated antivirus is running on all work devices
- Regularly creating multiple backups of all essential data
- Consider the 3-2-1 rule when creating data backups: Have at least 3 copies, on 2 devices, with 1 offsite backup
- If possible, ensure an administrator account must approve all new software – all other accounts should require permission before downloading new applications
- Ensure backup methods cannot be edited by malware should ransomware get on your system
- Keep all work devices and software regularly updated and on the latest operating system versions
The FBI has also released the indicators of compromise and attack techniques for this malware. If possible, consider setting up systems that can detect hashes and activity related to this attack.
As threat actors deploying this attack have been seen spending time looking around victim networks prior to deploying the ransomware, keep on the lookout for suspicious and unusual activity within your network. This may include connections from unusual IP addresses, multiple login attempts, and unusual changes to user accounts and system settings.
The FBI also specified that threat actors were specifically targeting SonicWall vulnerabilities. Should you use SonicWall firewall, check that your SonicWall systems are on the latest versions, and update as soon as possible if not.
Related Links:
https://www.cisa.gov/uscert/ncas/alerts/aa22-223a – Published August 11th
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…