An example of a ransom note from threat actors using the Zeppelin ransomware. (CISA)

The FBI has identified the Zeppelin ransomware and its variants being used in attacks as recently as June 21 and, along with the Cybersecurity and Infrastructure Security Agency, is informing organizations of the signs associated with the Delphi-based Vega malware family in a joint alert released Thursday.

Threat actors have used Zeppelin since 2019 as ransomware-as-a-service (RaaS) to target a wide range of organizations, including defense contractors, educational institutions, manufacturers, tech companies, and especially healthcare and the medical industries, according to the alert.

The bad actors gain access to networks a variety of ways, including RDP exploitation, SonicWall firewall vulnerabilities and phishing campaigns, and spend one to two weeks mapping the network before deploying the ransomware.

See the alert here for details of the indications of compromise (IoCs) and tactics, techniques and procedures (TTPs).