Wednesday, May 14, 2025
HomeComputer SecurityRaaS - Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The...

RaaS – Zeppelin Ransomware Attacks IT and Healthcare Companies To Encrypt The Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Zeppelin ransomware also known as Vega or VegaLocker or Buran, observed at the beginning of 2019 and it was distributed as part of the financial malware. The ransomware was distributed through spam campaigns, downloaders, software cracking tools, and fake updates.

The ransomware was compiled in Delphi and it is a new member of Ransomware-as-a-Service (RaaS) family, the binaries are signed with the valid code signing certificates.

Zeppelin Ransomware Infection

Researchers from Cylance observed a new targeted Zeppelin ransomware campaign that targets IT and healthcare companies in Europe and the U.S.

- Advertisement - Google News

The ransomware appears highly configurable, they can be deployed as EXE, DLL, or wrapped in a PowerShell loader and the executables have three layers of obfuscation.

Upon execution, the ransomware will check for the country code and the default language of the infected machine, if the infected user machine in one the following countries such as Russian Federation, Ukraine, Belorussia and Kazakhstan then it terminates the infection process.

Zeppelin Ransomware includes following functions

Zeppelin Ransomware
Ransomware Functions

On the infected machine, it creates an empty file with the “.zeppelin” extension in the %TEMP% directory and then copies itself to the %APPDATA% folder and it ensures persistence by setting up key in the registry.

“The Zeppelin binaries are obfuscated with a different pseudo-random 32-byte RC4 key added to each string, the string obfuscation acts as a crude polymorphism mechanism, as each generated sample will use different RC4 keys.”

Researchers observed that the “encryption algorithm has not changed substantially compared to previous versions of Buran.” For symmetric file encryption, it uses AES-256 in CBC mode and to protect the session keys it uses custom RSA implementation.

The ransomware uses to encrypt files present in all the drives except system files and network shares. Once the files encrypted it adds a random extension (“.126-D7C-E67”) to the encrypted files.

Zeppelin Ransomware
Ransom Note

After encrypting all the files in the drive Zeppelin drops a ransom note text file, which asks users to purchase a unique private key to unlock the files.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...

New Adobe Photoshop Vulnerability Enables Arbitrary Code Execution

Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Cybercriminals Hide Undetectable Ransomware Inside JPG Images

A chilling new ransomware attack method has emerged, with hackers exploiting innocuous JPEG image...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...