Home Articles Understanding the New Zeppelin Ransomware

Understanding the New Zeppelin Ransomware


Researchers have discovered a new ransomware targeting healthcare and technology companies across US and Europe. Read on to know more…

Security researchers have discovered a new ransomware targeting healthcare and technology companies across US and Europe. Beginning its journey as VegaLocker, the ransomware evolved into a Ransomware-as-a-Service (RaaS) on Russian hacker forums under the name Buran in May 2019. Affiliates who joined the RaaS would earn 75 percent of the ransom payment, while the Buran operators would earn 25 percent. The latest variant of this ransomware family is now Zeppelin.

Zeppelin Ransomware
Cybercriminals have developed a new ransomware variant called Zeppelin. The ransomware Zeppelin is reportedly a new variant of the Delphi-based ransomware-as-a-service family, commonly known as VegaLocker/Buran Ransomware, which was first discovered in early 2019 and thought be Russian in origin. In a new report from BlackBerry Cylance, researchers detailed the discovery of this new ransomware. Zeppelin ransomware was being used in targeted attacks against healthcare and other tech companies in U.S., Canada, and Europe. Researchers believe the ransomware also targeted MSPs in order to further infect customers via management software.

Researchers explained that the shift in targeting from Russian-speaking to Western countries, as well as the differences in selection of victims and malware’s distribution methods suggests that the Zeppelin variant has been acquired by different threat actors, which either used it as a service or redeveloped from bought/stolen/leaked sources.

The initial attacks were broad in scope, rather than targeted, hosted with valid certificates on GitHub. Several new versions have been spotted in the wild over the course of the year, with Zeppelin as the latest iteration. According to security researchers, latest variant is based on the same code with similar functions as past methods, but the current campaign differs significantly than previous malware versions.

Working Mechanism
The threat actors are believed to have dropped the ransomware through Remote Desktop servers that are publicly exposed to the Internet. Like other Russian-based ransomware, Zeppelin first checks for the users’ nationality for CIS countries such as Russia, Ukraine, Belarus, and Kazakhstan. It either checks the configured language in Windows or default country code set by the users. When confirmed, the ransomware then begins terminating various processes including ones associated with the database, backup, and mail servers. When encrypting files, the ransomware does not add any extension and the file name is kept the same as well. However, it includes a file marker called Zeppelin that may be surrounded by different symbols depending on the hex editor and character format used by the user on the target system.

While encrypting files, it creates ransom notes named “!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT”. These notes contain information on what has happened to the victim’s files, how they can contact hackers for payment instructions, or how they can test decryption of one file for free.

Meanwhile, it is not known exactly how the Zeppelin ransomware is being distributed, but it is likely through Remote Desktop servers that are publicly exposed to the Internet. Unfortunately, at the moment, no decryptor is available for recovering the files encrypted by Zeppelin for free. It is therefore suggested that users restore from backups if at all possible.


Please enter your comment!
Please enter your name here

18 + = 23