One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 6422261 |
| Date de publication | 2022-08-19 16:24:48 (vue: 2022-08-20 00:05:39) |
| Titre | Joint Cybersecurity Advisory on Zeppelin Ransomware (AA22-223A) |
| Texte | On August 11, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Zeppelin ransomware. The alert provides insight into the tactics, techniques, and procedures (TTPs) along with indicators of compromise used by Zeppelin threat actors. Zeppelin has been operating since 2019 and has targeted organizations across multiple industries as well as critical infrastructure sectors.What is Zeppelin ransomware?Zeppelin is a Delphi-based ransomware and is run as a Ransomware-as-a-Service (RaaS). First reports of Zeppelin ransomware goes back as far as December 2019. Some reports suggest that Zeppelin ransomware originates from the Vegaslocker and Buran strains.According to the CISA advisory, Zeppelin ransomware's infection vectors include RDP exploitation, leveraging vulnerabilities in popular FireWall products and phishing emails. Once a threat actor compromises the victim's network, it steals sensitive information from the victim before starting the file encryption process. Zeppelin ransomware typically adds a ".zeppelin" file extension to the affected files, however other files extensions used were observed. After files are encrypted, the victim is presented with a ransom note that is typically named "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" containing attacker's contact information (email, Jabber, ICQ or Telegram) as well as a ransom message. Zeppelin victims are threatened that encrypted files will not be recovered, and stolen information will be released to the public if the ransom is not paid.Ransom note from a recent Zeppelin ransomware sampleThe advisory also states that threat actors ran Zeppelin ransomware more than once on the compromised network in some cases, which resulted in multiple decryption keys being required for file decryption.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known Zeppelin ransomware variants:W32/Zeppelin.FBFD!tr.ransomW32/Buran.H!tr.ransomW32/Agent.H!tr.ransomW32/Filecoder_Buran.J!tr.ransomW32/Kryptik.GOGY!trW32/Kryptik.HIMG!trW32/Kryptik.HJEK!trW32/Generic.AC.171!trW64/Agent.EQ!trW32/Neshta.EW32/CoinMiner.NBX!trW32/PossibleThreatRiskware/Application |
| Envoyé | Oui |
| Condensat | 171 2019 2022 223a aa22 according across actor actors adds advisory affected after against agency alert all along also are attacker august back based been before being buran bureau cases cisa compromise compromised compromises contact containing coverage critical cybersecurity december decryption delphi email emails encrypted encryption ew32/coinminer exploitation extension extensions far fbfd fbi federal file files firewall first following fortiguard from goes gogy has himg hjek however icq include indicators industries infection information infrastructure insight investigation jabber joint keys known labs leveraging message more multiple named nbx network not note observed once operating organizations originates other paid phishing popular presented procedures process products provides public raas ran ransom ransomw32/agent ransomw32/buran ransomw32/filecoder ransomw32/kryptik ransomware rdp recent recovered released reports required resulted run samplethe sectors security sensitive service since some starting states status steals stolen strains suggest tactics targeted techniques telegram than threat threatened trw32/generic trw32/kryptik trw32/neshta trw32/possiblethreatriskware/application trw64/agent ttps txt typically used variants:w32/zeppelin vectors vegaslocker victim victims vulnerabilities well what which will your zeppelin |
| Tags | Ransomware Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.