by Andrew Ange, Avertium Healthcare Consultant

A new ransomware named "Zeppelin" is making its way across Europe and the United States. First reported on November 6, 2019,  ransomware Zeppelin continues to target healthcare companies, managed service providers, and other technology companies. 

Background on Zeppelin

According to a report by the Cylance Threat Research Team, the malware was developed to be broad-based in order to target software and healthcare companies.

Based on the same software and features as its predecessor, VegaLocker, Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family, according to the BlackBerry Cylance Threat Research team.

VegaLocker samples were first found on Yandex.Direct, a Russian online advertising network, was in a malvertising operation earlier in 2019.

The Ransomware Attack

This spin-off ransomware is being used to specifically target healthcare and Managed Service Provider (MSP) companies in America. Described as "highly configurable," from, Zeppelin can be deployed or bundled in a PowerShell loader in multiple ways, including as a .exe file or a.dll file.

Zeppelin ransomware features a number of tools: an IP logger, the capacity to erase copies, a task killer, auto-unlock, an Account Control Fast, and a "melt" function to insert a Windows Notepad thread. Some of the binaries found have been signed and hosted on GitHub with a valid certificate.

Because the ransomware was designed to stop running on computers in the former USSR, Zeppelin’s source is believed to be Russia or a similar former Soviet-bloc country.

The Infection

Zeppelin ransomware can also be distributed through malvertising operations and watering hole attacks (infecting websites that members of the company are known to visit), and many believe the attackers will expand their delivery vehicles to phishing email campaigns and infiltrating automated software updates from approved providers.

Like much other ransomware software, Zeppelin performs different changes before the encryption process is performed. According to the Cylance Threat Research Team, the malware creates different folders in the C: drive, for example, and drops multiple files, opens and sets registry keys, deletes shadow volume copies by using the command "vssadmin.exe Delete Shadows / All / Quiet," creates new processes, and terminates processes, etc.

Upon initial execution (without parameters), the malware checks the victim’s country code to make sure it’s not running in any of the following countries:

  • Russian Federation
  • Ukraine
  • Belorussia
  • Kazakhstan

Depending on the options set during the building process, it either checks the machine’s default language and default country calling code or uses an online service to obtain the victim’s external IP address.

The malware creates an empty file in the %TEMP% directory with the “.zeppelin” extension and a name that is a CRC32 hash of the malware path.

Protecting Your Organization

While it is true that there is currently no Zeppelin ransomware decryptor available, it is risky to pay criminals as they are known to scam targets and never make contact again. There is a small chance of restoring encrypted files with file recovery software or by using the Windows Previous Versions feature.  

U.S. Department of Health and Human Services, the FBI, and many security experts agree that health organizations should not pay the ransom money demanded by cyber attackers. The only secure and free way to recover data is by using backups, as paying the ransom does not guarantee positive results.


Organizations should remember these keys to protect their information and company from attacks like Zeppelin:

  • Conduct routine vulnerability scans on the network and remediates in a timely manner (i.e. within 30 days for High and Critical severity findings)
  • Perform regular backups that are disconnected from the network
  • Educate users on basic security guidelines, especially holiday-related phishing emails or malvertising
  • Secure ports and services that are exposed to the internet
  • Secure remote access tools as they can be used as entry points
  • Employ the principle of least privilege and regularly monitor your network for threats

Contact us for more information about Avertium’s managed detection and response service capabilities. 

This informed analysis is based on the latest data available at the time of publication.


Cylance Article

Supporting Documentation

ZDNet Article
TrendMicro Article
siliconANGLE Article