Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security Last updated: March 31, 2023
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Hearing about Zeppelin ransomware but not sure what they are?

What is ransomware?

The presence of the word ransom indicates that it involves money. Ransomware is when an individual or a group of individuals infect someone’s data in such a way that the victims can’t access it unless they pay a specific amount to them.

What is Zeppelin ransomware?

It is a new ransomware, spotted for the first time in the early ten days of November 2019.

It is said to be the latest variant of Vega lockers. But the fact that differentiates it from its predecessors is that it is targeting regions of Europe and the USA. Now that is quite strange. The Vega-lockers used to target Russia mostly. But Zeppelin finishes its function if it finds itself in systems of Russia or associated regions.

So, the people from Russia don’t have to worry about it.

Who are the developers of Zeppelin?

Speculations are going on about the developers. The researchers from Blackberry Cylance are speculating that the developers of Zeppelin might be different from the developers of Vega lockers. They are saying this because both of them are targeting different regions. The Zeppelin ransomware is targeting IT and health care companies and individuals associated with these industries.

So, the people from the USA and Europe belonging to such sectors must beware of the ongoing threats of ransomware.

How is Zeppelin delivered to the systems of the victim?

The exact mechanism in which the Zeppelin is delivered to the victims is unknown. But speculations are being made. It is said that Zeppelin is delivered via remote desktop servers.

The mode of action of Zeppelin

First of all, the details of the victim are checked. If the victim passes the initial test, then the process is carried on. The initial operations will include getting the basic level functions terminated. The first level of termination will be of servers associated with the victim’s computer and associated databases. In addition to that, the ransomware will target the backup files of the victim. Then Zeppelin will encrypt the data of the victim.

Zeppelin does this very intelligently. You won’t get an extension to your current file because Zeppelin would not create one. Secondly, Zeppelin will not change the name of your data files. But you might notice a marker with the name Zeppelin on it along with some very unusual symbols with it. The format of these symbols will highly depend on the type of system the user is using. It will also depend on the character format of the computer.

The algorithm used by Zeppelin is the same as the one used by Vega lockers. They generate keys for all the encrypted files. These keys will help to decrypt the data once the victim has paid the ransom amount.

After that, the encrypted files will start showing notes from the ransomware. These notes will usually start with a banner that will be “Your files have been encrypted.” Then the user will be able to view the complete ransom note with details of the files and what the ransomware did with them. This note will also contain information on how to contact the Zeppelin personnel. Contact information mostly includes an email address.

In addition to contact information, the ransom amount that the victim will have to pay will also be mentioned on the ransom note. In rare occurrences, the ransom amount will be communicated later.

The Zeppelin ransomware will also offer to decrypt one or two of the victim files for free. This is done so the victims will have the surety that their data has been encrypted by ransomware for real.

Zeppelin will station the encrypted files in any format such as DLL or power shell loader. The deployed Zeppelin will destroy any of the backups that the user has created. It will also track the IP of the victim; this will give them access to the victim’s location as well. These formats will enable the Zeppelin to run the software with even greater privileges. If the attacker or the ransomware is after specific tasks run by the victim, Zeppelin will make sure that those tasks are destroyed or stopped. Zeppelin will also be able to unlock locked files.

How to protect your systems from Zeppelin?

You can take some necessary precautions to avoid any unnecessary Zeppelin encounters.

  • The first and foremost thing to do is to develop backups. This point can’t be emphasized enough. Many people create backups on the same computer, but that is of no use. Create backups that are present at a different location to keep them safe.
  • Avoid using remote desktop servers. Make sure that whatever data you expose on the internet is managed securely. Try to use completely reliable online services.
  • Make use of multi-factor authentication wherever possible. The multi-factor authentication will let you recover your accounts.
  • Change passwords once in a while to make sure your accounts and data are well-protected.
  • Develop defense systems for the whole company. Manage those systems properly to avoid any ransomware occurrences.
  • You can hire companies or software to protect your data and systems.
  • You should only open emails or download links from trusted sources.

What if Zeppelin infects your system? Can you recover your data?

Researchers are trying to find a loophole in Zeppelin, but they haven’t found any till now.

  • You can try restoring your backed-up files on any other computer. Then you can reset your system to get rid of the ransomware.
  • If you haven’t backed up your data, then you can try to restart your system and use the safe networking mode. You can turn on this mode from the command prompt. After that, you can try to log in to the infected account and use anti-ransomware software to recover your data.


Zeppelin ransomware can become a nightmare for IT and healthcare companies if authorities do not counter it timely. This ransomware was only spotted a month ago, so not many details are available about it. As per the incoming information of the recent occurrences, recovering data without paying the ransom is quite tricky, and not many individuals can manage to trick Zeppelin. As it is said, prevention is better than cure.

So, one thing is for sure that you can easily avoid becoming a victim of such ransomware if you resort to safer practices.

  • Geekflare Editorial
    The Editorial team at Geekflare is a group of experienced writers and editors dedicated to providing high-quality content to our readers. We are committed to delivering actionable content that helps individual and business grows.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder