Zeppelin ransomware returns with malicious Word files
by Ryan Ozawa
A notorious ransomware variant known as Zeppelin, which first emerged in December 2019 targeting health care and IT sectors in the United States and Europe, has returned this summer with a new tactic.
The new Zeppelin attack was detected by Juniper Networks’ Juniper Threat Labs on Aug. 28, 2020, and deconstructed by malicious software researcher Asher Langton.
What is Zeppelin ransomware?
Zeppelin ransomware takes hold of a victim’s computer and network to encrypt all the files it can access. The attacker then demands a ransom to restore access to the data. Even when the ransom is paid, however, there’s no guarantee the files will be decrypted.
Zeppelin is more sophisticated than the average ransomware weapon, derived from an organized ransomware-as-a-Service (RaaS) group known as VegaLocker. The original targets of VegaLocker were Russian-speaking accountants.
In fact, Zeppelin is only one branch of the VegaLocker family tree, which also includes Jamper and Buran. With each generation, the ransomware expands its scope, and changes its signature, making it harder to spot by antivirus tools.
Zeppelin is picky in one respect, however. Before running, it checks the geolocation of the victim computer’s IP address and the computer’s language settings to prevent itself from infecting computers in Russia, Belarus, Kazakhstan or Ukraine.
How does it spread?
As documented by Langton, this latest Zeppelin ransomware is hidden inside a Microsoft Word document.
Microsoft Word warns users not to open files like the one containing Zeppelin, which is locked in “protected view” with the notification, “files from the internet can contain viruses.”
However, the infected document instructs the victim to bypass Microsoft’s protection by saying it needs to be converted from “an earlier version” to open. If the victim clicks “enable editing,” a malicious macro is executed. It then runs embedded Visual Basic for Applications (VBA) code to take over the computer when the document is closed.
SEE ALSO: Why You Need to Avoid Macro in Emails
“Following encryption, the victim is presented with a ransom note,” Langton explains.
How effective is the Zeppelin attack?
Part of Langton’s analysis uncovered a reference to a name server inside of Zeppelin, which is accessed by the ransomware when it is executed.
“There were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread,” he writes.
However, the history of Zeppelin and its ransomware relatives demonstrates that it doesn’t take much effort or time to adapt the malicious code to go after more new victims.
How do you prevent ransomware attacks?
Ransomware can be debilitating for a business, and when health information is involved, an attack is also a HIPAA violation.
The best way to protect the security of your company, and the sensitivity of your clients’ data, is to make sure every employee is vigilant and aware of how malware and ransomware work.
Paubox Email Suite Plus not only enables HIPAA compliant email by default, but it protects against cyberattacks with inbound security features.
Should a piece of ransomware be sent to one or many of your company email addresses, Paubox will catch the threat before it can be opened by an unsuspecting employee.