Skip to main content

FBI warns of ‘Zeppelin’ ransomware attacks targeting Bay Area companies

The seal of the Federal Bureau of Investigation is seen outside of its headquarters in Washington, DC on August 15, 2022. | Mandel Ngan/AFP via Getty Images

A new threat has emerged, putting health care facilities and other firms on the defensive, according to federal authorities.

It isn’t the next strain of the Covid virus, which mercifully seems to be on the downswing after an extended summer surge. Instead, law enforcement is warning of a spike in ransomware attacks targeting the health care sector, tech companies and even school districts. 

A cybersecurity alert published earlier this month by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) detailed new trends in the attacks, common techniques used to breach systems and indicators of compromised cybersecurity. In particular, so-called “Zeppelin” ransomware, named for a type of malware used in ransomware attacks, is growing in popularity among cybercriminals. 

“Literally you can have a 16-year-old in his mother’s basement that can start hitting companies willy-nilly,” said Elvis Chan, Assistant Agent in Charge of the ​​FBI’s San Francisco division. 

Ransomware—a type of attack that extorts victims by threatening to publish or delete valuable data—has been around for decades. But two new trends raised alarm bells with law enforcement and cybersecurity professionals. 

One is a new focus on attacks on health care facilities and organizations already burdened by the pandemic. The other is an evolution in the business models around ransomware, with the Zeppelin software creating an ecosystem of cybercrime—whereby actors research at-risk organizations, conduct attacks, negotiate ransoms and launder payments—that Chan dubbed “ransomware-as-a-service.” Last year, the FBI estimated around $2.4 billion in damages globally from ransomware.

Federal authorities did not disclose what specific local companies have been targeted. In the Bay Area, tech companies are particularly at risk along with higher education institutions, K-12 schools and school districts, said Chan. 

Chan said he meets regularly with security executives at Silicon Valley tech companies, who saw a rise in certain types of cybercrime coinciding with the Russian invasion of Ukraine. Those include “spear phising” attacks targeting specific people by email. Another common trend is “SMShing”: text messages pretending to be a company leader asking an employee to click on a bogus link or calendar invite. 

Typically, ransomware criminals will gain access to a system through unpatched software, a vulnerability in the organization’s remote access system or a phishing scheme that includes an infected program. The attacker will then map out where the valuable data is, copy and encrypt it before hitting the user with a pop-up demand for payment, generally in the form of Bitcoin. 

Cybersecurity experts and federal officials generally advise against paying a ransom. Chan said in his experience, paying the fee only leads to a completely successful resolution about a quarter of the time.

“It's a sucker bet because three out of four times you pay them a six or seven-figure ransom and you don't get all of your data unlocked,” Chan said.

It can get even worse from there, added Joe Oregon, the CISA chief of cybersecurity for the region that includes San Francisco. Recent studies, Chan echoed, found victims were twice as likely to be hit again if a ransom is paid. 

“At the point of execution, the malicious actors have already mapped their network,” Oregon said. “They've also identified additional vulnerabilities that they can use at a later date in order to come back or sell those to some other hackers looking to make money.”

The best defense is good preparation, they said. 

That includes developing an incident response plan which includes communication with law enforcement, in addition to best practices like multi-factor authentication for users, network segmentation to contain outbreaks, regular audits for users accounts with admin privileges and VPN systems for remote workers. 

The government also maintains a website for updates and advice at

Kevin Truong can be reached at