FBI, CISA warn of Zeppelin ransomware targeting healthcare
Photo: Anete Lusina/Pexels
In a joint alert issued August 11, the Federal Bureau of Investigation and Homeland Security's Cybersecurity and Infrastructure Security Agency advised about the Zeppelin strain of ransomware, which has been aimed at healthcare organizations
WHY IT MATTERS
The alert outlines the tactics, techniques and procedures (TTPs) and incidents of consequence (IOC) of the Zeppelin variant, and outlines recommendations to help hospitals and health systems mitigate its risks.
"Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS)," say federal officials.
"From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries."
Cybercriminals who deploy Zeppelin request ransom payments in bitcoin, they said, with demands ranging from several thousand dollars to more than a million.
"The actors gain access to victim networks via RDP [Remote Desktop Protocol] exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns," said FBI and CISA officials.
"Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader."
Before encryption, the bad actors exfiltrate "sensitive company data files to sell or publish in the event the victim refuses to pay the ransom," they added.
Once the variant is executed, "a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension," they said. "A note file with a ransom note is left on compromised systems, frequently on the desktop."
The FBI said it has seen cases where Zeppelin ransomware was executed "multiple times within a victim's network, resulting in the creation of different IDs or file extensions, for each instance of an attack," officials said. "This results in the victim needing several unique decryption keys."
In a statement sent to Healthcare IT News, researcher Roger Grimes, data-driven defense evangelist at KnowBe4, noted that it's unclear whether "the same files are accidentally being encrypted multiple times (which would be rare, but not unique) or simply different files being separately encrypted (which is very common).
"Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption," he added. "And when the victim asks for proof that the ransomware attacker has decryption keys and that the ransomware gang's software or process will work if the victim pays the ransom, the ransomware group will release a single key to unlock a single set of files as 'proof of life.'"
As for mitigations, FBI and CISA officials said healthcare and other organizations should take common-sense steps to reduce the risk of adverse effects from Zeppelin ransomware.
They advise implementing a recovery plan to maintain and retain multiple copies of important data and servers in a physically separate, segmented and secure location; requiring all accounts with password logins to comply with NIST standards for developing and managing password policies; requiring administrator credentials to install software and requiring multifactor authentication "for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems."
The agencies also recommend disabling command-line and scripting activities and permissions, as "privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally."
THE LARGER TREND
The alert came on the same day that Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisconsin – former co-chairs of the Cyberspace Solarium Commission – sent a letter to U.S. Health and Human Services Secretary Xavier Becerra requesting a briefing on HHS' efforts to protect hospitals and public health organizations from cyberattack.
"Ransomware attacks on the HPH sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety," they wrote. "Meanwhile, the troves of personally identifiable information and personal health information make organizations in the sector valuable targets for both criminal and nation-state hackers."
While they applauded recent moves such as a White House executive forum on healthcare cybersecurity, the FDA's prioritization of medical device cybersecurity and added resources for the HHS' Critical Infrastructure Protection Division and its Health Sector Cybersecurity Coordination Center, or HC3, King and Gallagher said they had concerns about a "lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the [HHS'] capabilities and resources."
They asked for a briefing to gauge the department’s capabilities as the Sector Risk Management Agency for the hospital and public health sector, and to get an assessment of the current authorities HHS has to improve cybersecurity across the sector – as well as the gaps in those authorities and what more might be needed to ensure the agency has the personnel, budget and tools it needs in that capacity.
ON THE RECORD
In a statement about the new Zeppelin ransomware advisory, meanwhile, John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, offered that organization's perspective.
"It appears this gang is stealing and threatening to publicly release sensitive information such as patient information, payroll, human resources and non-disclosure-protected information," said Riggi. "Thus, even if a victim organization can independently restore encrypted files from backup, they face the dilemma of potential public release of stolen information in the possession of the criminals.
"The AHA, along with the federal government, strongly discourages the payment of ransom," he added. "This alert along with the comprehensive #stopransomware site provide extensive guidance on how to protect your systems from ransomware and avoid the ethical and legal dilemma of 'pay, not pay.'"
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.