2 min read

Zeppelin ransomware returns with malicious Word files

Ryan Ozawa September 28, 2020

Email security
Illustrated zeppelin airship on blue background
A notorious ransomware variant known as Zeppelin, which first emerged in December 2019 targeting health care and IT sectors in the United States and Europe, has returned this summer with a new tactic. The new Zeppelin attack was detected by Juniper Networks' Juniper Threat Labs on Aug. 28, 2020, and deconstructed by malicious software researcher Asher Langton.

What is Zeppelin ransomware?

Zeppelin ransomware takes hold of a victim's computer and network to encrypt all the files it can access. The attacker then demands a ransom to restore access to the data. Even when the ransom is paid, however, there's no guarantee the files will be decrypted. Zeppelin is more sophisticated than the average ransomware weapon, derived from an organized ransomware-as-a-Service (RaaS) group known as VegaLocker. The original targets of VegaLocker were Russian-speaking accountants. In fact, Zeppelin is only one branch of the VegaLocker family tree, which also includes Jamper and Buran. With each generation, the ransomware expands its scope, and changes its signature, making it harder to spot by antivirus tools. Zeppelin is picky in one respect, however. Before running, it checks the geolocation of the victim computer's IP address and the computer's language settings to prevent itself from infecting computers in Russia, Belarus, Kazakhstan or Ukraine.

 

How does it spread?

As documented by Langton, this latest Zeppelin ransomware is hidden inside a Microsoft Word document. Microsoft Word warns users not to open files like the one containing Zeppelin, which is locked in "protected view" with the notification, "files from the internet can contain viruses." However, the infected document instructs the victim to bypass Microsoft's protection by saying it needs to be converted from "an earlier version" to open. If the victim clicks "enable editing," a malicious macro is executed. It then runs embedded Visual Basic for Applications (VBA) code to take over the computer when the document is closed. SEE ALSO: Why You Need to Avoid Macro in Emails "Following encryption, the victim is presented with a ransom note," Langton explains.

 

How effective is the Zeppelin attack?

Part of Langton's analysis uncovered a reference to a name server inside of Zeppelin, which is accessed by the ransomware when it is executed. "There were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread," he writes. However, the history of Zeppelin and its ransomware relatives demonstrates that it doesn't take much effort or time to adapt the malicious code to go after more new victims.

 

How do you prevent ransomware attacks?

Ransomware can be debilitating for a business, and when health information is involved, an attack is also a HIPAA violation. The best way to protect the security of your company, and the sensitivity of your clients’ data, is to make sure every employee is vigilant and aware of how malware and ransomware work. SEE ALSO: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance Paubox Email Suite Plus not only enables HIPAA compliant email by default, but it protects against cyberattacks with inbound security features. Should a piece of ransomware be sent to one or many of your company email addresses, Paubox will catch the threat before it can be opened by an unsuspecting employee.
 
Try Paubox Email Suite Plus for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Image of someone with Microsoft 365 on their phone.

How to set up HIPAA compliant email with Microsoft 365

Picture of Tshedimoso Makhene Tshedimoso Makhene : December 26, 2025

According to Microsoft, “Microsoft 365 Commercial products and cloud services revenue increased $10.8 billion or 14%” in the 2025 fiscal year,...

HIPAA compliant email
Read More
Microsoft Windows logo glowing sign

Phishing campaign targets Microsoft Entra guest invitees with fake invoices

Picture of Farah Amod Farah Amod : December 8, 2025

Cybercriminals are abusing Microsoft Entra guest invitations to deliver TOAD phishing messages that appear to come from legitimate Microsoft...

Email security
Read More
hacker with fishing hook and digital files

SharePoint abuse tied to renewed AiTM phishing and BEC activity

Picture of Farah Amod Farah Amod : February 10, 2026

Microsoft says attackers are using trusted file-sharing workflows to compromise accounts and expand business email compromise operations.

Email security
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.