The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CISA Sounds Alarm About Zeppelin Ransomware Targeting Healthcare Organizations

Posted By on Aug 11, 2022

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about the Zeppelin ransomware-as-a-service (RaaS) operation, which has extensively targeted organizations in the healthcare and medical industries.

Zeppelin ransomware, a variant of Vega malware, has been used in attacks on critical infrastructure organizations since 2019. The threat actors have been observed using a variety of vectors to gain initial access to victims’ networks, especially the exploitation of Remote Desktop Protocol (RDP), vulnerabilities in SonicWall appliances, vulnerabilities in Internet-facing applications, and phishing emails. The phishing-based attacks use a combination of malicious links and attachments containing malicious macros.

The threat actors typically spend around 1-2 weeks inside victims’ networks before deploying the ransomware payload. During this time, they map or enumerate victims’ networks, identify data of interest, including backups and cloud storage services, and exfiltrate sensitive data. A ransom demand is then issued, usually in Bitcoin, with the demand ranging from several thousand dollars to more than a million.

The FBI has observed several attacks where the malware has been executed multiple times, which means victims have multiple IDs and file extensions and require several different decryption keys to recover their files, which adds to the complexity of recovery from an attack.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

CISA and the FBI have shared Indicators of Compromise (IoCs) and Yara rules to help network defenders identify attacks in progress and block attacks before file encryption. Mitigations have also been shared to reduce the risk of compromise, which include:

  • Developing and managing password policies for all accounts in accordance with the latest standards published by the National Institute for Standards and Technology (NIST)
  • Developing a robust backup plan for all data – Create multiple backups of data and servers, store those backups in separate, segmented, and secure locations, encrypt backups, and test backups to make sure file recovery is possible
  • Implementing multifactor authentication for all services, especially webmail, VPNs, and accounts used to access critical systems.
  • Ensuring all software and firmware are kept up to date
  • Installing antivirus software on all hosts and regularly updating the software
  • Conducting regular audits of all user accounts with admin privileges
  • Applying the principle of least privilege
  • Implementing time-based controls for admin-level accounts and higher
  • Disabling all unused ports
  • Disabling hyperlinks in received emails and adding a banner to all emails from external sources
  • Disabling command-line and scripting activities and permissions to prevent lateral movement.

In the event of a successful attack, the FBI encourages victims to share information with the FBI, regardless of whether the ransom is paid. Specifically, the FBI requests boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist