Discovered and seen for the first time in the first ten days of November 2019. ZEPPELIN is a malicious program and a variant of the Buran ransomware. Systems infected with this malware have their data encrypted so that the cybercriminals behind the infection can demand payment for the decryption tools / software. During the encryption process, ZEPPELIN adds file names with a random extension, using the hexadecimal numbering system.
It is said to be the latest variant of the Vega lockers. But what sets it apart from its predecessors is that it targets regions of Europe and the US That’s pretty weird. Vega lockers used to primarily target Russia. But Zeppelin ends its function if it is in systems of Russia or associated regions.
The text file contains the ransom message, which informs victims that their data has been encrypted. It claims that all important data (such as documents, photos, databases, and other files) has been encrypted. The message goes on to say that manual decryption is impossible and the only way to decrypt files is by purchasing a unique private key from the ZEPPELIN developers. An email address is included to establish contact. Furthermore, users are cautioned not to rename encrypted files or attempt to decrypt them with third party software as this can lead to permanent data loss.
Zeppelin can be deployed in EXE format in a DLL or run through PowerShell and can be configured with different features:
▸Registration of the IP and location of the victims.
▸Persistent on reboot.
▸Remove of backup copies.
▸Stopping specific processes.
▸Unlocks files that are running or locked to be able to encrypt them.
▸Auto-delete: deletes the executable and registry entries.
▸Privilege elevation – The malware will attempt to elevate privileges at startup.
Unfortunately, in most cases of ransomware infections, decryption without the involvement of those responsible for the encryption is impossible, unless the malware in question is still under development and / or has certain flaws / bugs. Regardless, you are strongly advised not to contact or comply with the ransom demands of cyber criminals as we always say as, it is never safe to get your information back.
Check also:
Darkside is a Malware that is aimed at big companies
Cyberattacks that financial companies have suffered
[…] also:Zeppelin Ransomware targetting large companiesNoCry new ransomware inspired by […]
[…] check:Hades ransomware targetting businessesDoppelPaymer – Ransomware targeting industriesZeppelin Ransomware targetting large companiesMatanbuchus demonic threat lurking on the […]