Zeppelin ransomware returns with malicious Word files

Featured image

Share this article

Zeppelin Ransomware Returns With Malicious Word Files - Paubox

A notorious ransomware variant known as Zeppelin, which first emerged in December 2019 targeting health care and IT sectors in the United States and Europe, has returned this summer with a new tactic.

The new Zeppelin attack was detected by Juniper Networks’ Juniper Threat Labs on Aug. 28, 2020, and deconstructed by malicious software researcher Asher Langton.

What is Zeppelin ransomware?

Zeppelin ransomware takes hold of a victim’s computer and network to encrypt all the files it can access. The attacker then demands a ransom to restore access to the data. Even when the ransom is paid, however, there’s no guarantee the files will be decrypted.

Zeppelin is more sophisticated than the average ransomware weapon, derived from an organized ransomware-as-a-Service (RaaS) group known as VegaLocker. The original targets of VegaLocker were Russian-speaking accountants.

In fact, Zeppelin is only one branch of the VegaLocker family tree, which also includes Jamper and Buran. With each generation, the ransomware expands its scope, and changes its signature, making it harder to spot by antivirus tools.

Zeppelin is picky in one respect, however. Before running, it checks the geolocation of the victim computer’s IP address and the computer’s language settings to prevent itself from infecting computers in Russia, Belarus, Kazakhstan or Ukraine.

How does it spread?

As documented by Langton, this latest Zeppelin ransomware is hidden inside a Microsoft Word document.

Microsoft Word warns users not to open files like the one containing Zeppelin, which is locked in “protected view” with the notification, “files from the internet can contain viruses.”

However, the infected document instructs the victim to bypass Microsoft’s protection by saying it needs to be converted from “an earlier version” to open. If the victim clicks “enable editing,” a malicious macro is executed. It then runs embedded Visual Basic for Applications (VBA) code to take over the computer when the document is closed.

SEE ALSO: Why You Need to Avoid Macro in Emails

“Following encryption, the victim is presented with a ransom note,” Langton explains.

How effective is the Zeppelin attack?

Part of Langton’s analysis uncovered a reference to a name server inside of Zeppelin, which is accessed by the ransomware when it is executed.

“There were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread,” he writes.

However, the history of Zeppelin and its ransomware relatives demonstrates that it doesn’t take much effort or time to adapt the malicious code to go after more new victims.

How do you prevent ransomware attacks?

Ransomware can be debilitating for a business, and when health information is involved, an attack is also a HIPAA violation.

The best way to protect the security of your company, and the sensitivity of your clients’ data, is to make sure every employee is vigilant and aware of how malware and ransomware work.

SEE ALSO: How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance

Paubox Email Suite Plus not only enables HIPAA compliant email by default, but it protects against cyberattacks with inbound security features.

Should a piece of ransomware be sent to one or many of your company email addresses, Paubox will catch the threat before it can be opened by an unsuspecting employee.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022