In a joint advisory released Yesterday , the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the FBI cautioned American businesses that attackers using the Zeppelin ransomware might encrypt their files many times.

The two federal agencies also exchanged tactics, methods, and procedures (TTPs) and indicators of compromise (IOCs) to assist security experts in detecting and preventing ransomware attacks.

According to an advisory released yesterday by the FBI and the Department of Homeland Security, "the FBI has observed cases where Zeppelin actors executed their malware several times within a victim's network, resulting in the production of various IDs or file extensions for each episode of an attack," necessitating numerous decryption keys.

Us FBI discovered Zeppelin on June 21; it is a Ransomware as a Service (RaaS) organization whose malware has undergone multiple name changes, from VegaLocker to Buran, VegaLocker, Jamper, and now Zeppelin.

Affiliates of Zeppelin have been active since at least 2019, targeting corporations and vital infrastructure organizations, including defense contractors and technology enterprises, with a particular emphasis on entities in the healthcare and medical industries.

Additionally, they are notorious for stealing data for double extortion and requesting a ransom in Bitcoin, with initial demands ranging from several thousand to over a million dollars.

The FBI also requested [PDF] that IT administrators who detect Zeppelin ransomware activity on enterprise networks collect and report relevant data to their local FBI Field Office.

"Borderline logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign example of an encrypted file" are valuable pieces of information that can assist in identifying the attackers behind this ransomware group.

The FBI said it discourages victims from complying with Zeppelin's ransom demands since there is no assurance doing so will prevent data leaks or future assaults.

Instead, yielding to their demands will likely encourage the attackers to target further victims and encourage other cybercriminal organizations to join them in ransomware assaults.

Additionally, CISA and the FBI encouraged enterprises to take precautions against Zeppelin ransomware threats, including:

We are prioritizing the patching of exploited vulnerabilities in the wild, training employees and users to spot and report phishing attempts, and implementing and enforcing multi-factor authentication.