News & Events

Ransomware-as-a-Service Concerns FBI/CISA

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last month of an increasing ransomware-as-a-service (RaaS) threat against healthcare organizations. The joint alert by the two agencies came as Congress requested a cybersecurity briefing from the Department of Health and Human Services.

Zeppelin Ransomware-as-a-Service

Zeppelin ransomware, derived from the Delphi-based malware family known as Vega, is being used to target “especially organizations in the healthcare and medical industries.” Ransomware-as-a-service makes it simple for the less tech-savvy to engage in cybercrime without needing to develop their own malware. Bad actors often obtain “sensitive company data files to sell or publish” before encrypting the data “in the event the victim refuses to pay the ransom.” Phishing, RDP exploitation, and SonicWall firewall vulnerabilities have allowed these cybercriminals to access networks.

Ransoms are generally demanded to be paid in Bitcoin by the Zeppelin ransomware-as-a-service actors. Paying from thousands to more than a million US dollars is no guarantee that one’s troubles will end there, however. Multiple instances of Zeppelin have been seen on a single network, requiring multiple decryption keys. Cybercriminals have also been known to hit the same victim again later. Exfiltrated data may be sold or otherwise exposed even after a ransom payment. And while it doesn’t happen often, a bad actor could simply decide not to release the data after receiving payment. Of course, the FBI, CISA, and other federal law enforcement continue to recommend not paying ransoms.


The FBI and CISA strongly encourage healthcare and other organizations to mitigate and reduce the risks of attacks, by ransomware-as-a-service and other malware. Recommendations include a recovery plan including multiple encrypted backups in a “physically separate, segmented, and secure location.” Longer, complex passwords with “hints” and reusable passwords disabled, and multifactor authentication (MFA) are also recommended. Updating and patching all software, firmware, and operating systems can be time-consuming, but it is an effective and efficient way of closing security loopholes; this step can also be outsourced to a Managed Services Provider (MSP) that can handle updates without downtime for your organization. As mentioned above, known vulnerabilities with SonicWall firewalls and other systems continue to be exploited and should be patched immediately.

Network monitoring, real-time malware detection, and disabling of E-mail hyperlinks and unused ports are also suggested. It is critical for all businesses, healthcare-oriented and otherwise, to heed these warnings, remain vigilant, and fend off cyberattacks by ransomware-as-a-service and other types of malware, which continue to evolve and try to elude detection.