The Zeppelin Ransomware

It  is a malicious program, a variant of Buran ransomware is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family.

Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader.  There are reasons to believe at least some of the attacks were conducted through MSSPs.

Zeppelin: Targets High Profile Users Tech and Health Companies

The actors behind Zeppelin demonstrate a dedication to their craft by deploying precise attacks against high-profile targets in the IT and health sectors.

Zeppelin can be deployed as an EXE, DLL, or wrapped in a PowerShell loader and includes the following features:

  • IP Logger — to track the IP addresses and location of victims
  • Startup — to gain persistence
  • Delete backups — to stop certain services, disable the recovery of files, delete backups and shadow copies, etc.
  • Task-killer — kill attacker-specified processes
  • Auto-unlock — to unlock files that appear locked during encryption
  • Melt — to inject self-deletion thread to notepad.exe
  • UAC prompt — try running the ransomware with elevated privileges

Based on the configurations attackers set from the Zeppelin builder user-interface during the generation of the ransomware binary, the malware enumerates files on all drives and network shares and encrypts them with the same algorithm as used by the other Vega variants.

How to prevent ZEPPELIN

Removed form the operating system. Format OS. However, Data will not restore if it is already compromised.

Finally, the only viable solution is recovering it from a backup. if you have already created before infection stored in a separate location.

Always create a backup copy in separate location for your critical data!

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!