What does ransomware and Led Zeppelin have in common? Absolutely nothing.
First spotted in 2019, Zeppelin ransomware, or Buran V, primarily targeted large tech and healthcare companies in Europe and the United States. Introducing a variant of the Russian ransomware-as-a-service family known as Vega or VegaLocker, those behind Zeppelin ransomware attacks started running a precision campaign that’s much more targeted than its predecessors.
Zeppelin attacks went on a hiatus for several months but popped back onto the scene in late 2020. Researchers found the second string of attacks were poorly detected by legacy anti-virus applications because of new downloader components used in the attack chain. At the time of the first attack, almost 30% of antivirus software couldn't detect this ransomware threat.
While Zeppelin ransomware has nothing to do with Led Zeppelin, it’s a serious threat to tech and healthcare companies. Here, we’ll learn what exactly Zeppelin ransomware is, and who Zeppelin ransomware targets.
Zeppelin is a simple piece of code that’s distributed by an affiliate business and generated via a GUI wizard. It’s offered to distributors in exchange for a revenue share, and like other ransomware attacks, is designed to lure users into enabling Visual Basic Application (VBA) macros that begin the infection process. Zeppelin ransomware attacks start as phishing emails with Microsoft Word attachments, labeled as medical invoices, that display a blurred image with instructions on how to view the content. If followed, it allows the hidden malicious macros to infect the computer’s infrastructure.
Like other Russian-based ransomware, Zeppelin checks if the user is located in a Commonwealth of Independent States (CIS) country, such as Russia, Ulkraine, Belorussia, and Kazakhstan by checking the configured language in Windows or default country code. As with other VegaLocker attacks, Zeppelin ransomware won’t encrypt files if the infected system is located in Russia or the former Soviet states of Belarus, Kazakhstan, and Ukraine—and is designed to quit if found running on machines located there.
Once Zeppelin has entered a computer’s infrastructure and passes the checkpoint, it installs itself in a temporary folder named. zeppelin and spreads throughout the infected device. Once spread, it begins to encrypt Windows operating system directories, web browser applications, system boot files, and user files in order to preserve system function. The deployed Zeppelin will also destroy any backups the user has created and track the IP of the victim to access their location. This allows the attackers to run the software with greater privileges.
To evade detection, Zeppelin relies on multiple layers of obfuscation, including the use of pseudo-random keys, encrypted string, code of varying sizes, and delays in execution to outrun sandboxes and deceive heuristic mechanisms.
When the encryption is complete, a note pops up that lets the user know they are a victim of a ransomware attack and must pay for the return of their data. Some researchers have found different versions, ranging from short, generic messages to more elaborate ransom notes tailored to individual organizations. In all cases, the note will contain an email address that the victim can contact for payment instructions and an offer for the free decryption of a single file as proof to encourage payment.
Zeppelin ransomware can be a nightmare for healthcare and IT companies if not handled correctly and in a timely fashion. Researchers have found that in some cases, files were only partially encrypted after a Zeppelin ransomware attack. This may have been a bug, or an intentional feature to make the files unusable. In one case, data wasn’t even encrypted but rather stolen, to add pressure to pay the ransom or to try and sell the data on the dark web.
While ransomware attacks can be difficult to prevent, your company can take steps to be prepared if ever faced with an attack. Here’s some ways to protect yourself from ransomware and to ensure the only Zeppelin you know about is the English rock band:
Now that you know more about Zeppelin ransomware, you can keep your organization safe from ransomware attack types such as this one. Want to learn more about ransomware? Read “What Is Ransomware?” to discover other ways that hackers hold sites hostage—and what steps steps can help ensure yours isn’t one.