The Zeppelin ransomware is a novel ransomware that struck businesses in the dying days of 2019. It is said to be a variant of the notorious Vega lockers ransomware, except that rather than target computers in Russia and Eastern Europe in general, the Zeppelin ransomware seems to have put a lot more emphasis on infecting computer systems in the US and Europe.
There is a lot of speculation that although the Zeppelin ransomware shares lots of similarities with Vega lockers, including its malicious code, they are nonetheless different as they are authored by different teams. The Zeppelin virus, for instance, targets IT and health care companies in a different region of the world. But just like the Vega lockers malware, Zeppelin is believed to be a RaaS (Ransomware-as-a-service) that can be purchased on Russian hacking forums on the dark web.
The Mode of Action of Zeppelin
It is not exactly clear how the Zeppelin malware is able to infiltrate computer systems, but cybersecurity researchers believe that the malware is delivered via a remote desktop server. It is able to penetrate computer networks by exploiting vulnerabilities in installed software.
Once the malware has successfully infiltrated a computer, it checks the details of victims to see if they are a worthy target. If they are, the Zeppelin will begin its malicious reign by terminating the function of servers that are associated with the victim’s computers and associated databases. If there are backups of files, they are targeted and are made inaccessible.
Zeppelin will then go on and encrypt all the important files of the victim and demands that they pay a ransom via a readme.txt. The text begins by telling victims that “All your files, documents, photos, databases, and other important files are encrypted. There is only one method of recovering files it is to purchase a unique key…”
The message also supplies victims with an email address for establishing contact with the cyber-criminals behind the operation. It also warns them against trying to decrypt the files or changing the file names because of the supposed risk of losing their files forever.
Cybersecurity researchers have also discovered the Zeppelin payload builder, noting that it is very novel in its design and allows Zeppelin affiliates to build different types of payloads depending on their intended target. The payloads can either be a .exe, .dll, or a .ps1 script. Any of these initiates a different kind of attack.
Zeppelin Ransomware Removal
Once your computer has been infected with ransomware no matter what it is, your options will always be limited. First, it would not be wise of you to pay the ransomware amount because you can never trust criminals to keep their word of decrypting your files afterward. Not to mention, it only gives the criminals more motivation to go on with their thieving ways because they trust that someone will part with their hard-earned money.
So, if you cannot pay the ransom, what can you do as part of the Zeppelin virus removal process?
Safe Mode with Networking
Safe Mode is a Windows process that allows you to run your computer in a bare-bones version in which only the most basic apps and settings are enabled. When in Safe Mode with Networking, you can access network resources such as the internet and use them to download powerful anti-malware solutions such as Outbyte Antivirus. The anti-malware will help you remove any viruses that have infiltrated your computer. Be warned, however, that removing the virus does not mean that you will now recover your files.
Here is how to get to Safe Mode with Networking on Windows 7, Windows Vista, and Windows XP:
- Restart your computer and immediately power it on. Press F8 repeatedly in 1-second intervals.
- Your computer will display hardware information and run a memory test before presenting the Advanced Boot Options menu.
- Use the arrow keys to select Safe mode with Networking.
Safe Mode with Networking on Windows 10/11:
To boot your Windows 10/11 into Safe Mode with Networking from a blank screen, take the following steps:
- Hold the power button for about 10 seconds to turn off your computer.
- Press the power button again to turn on your device.
- When Windows shows signs of starting, press the power button again to turn it off. Keep turning the device on and off until you get to the Windows Recovery Environment (winRE).
- On the Choose an option screen that appears in winRE, select Troubleshoot > Advanced Options > Startup Settings > Restart.
- After your device restarts, use the arrow keys to select Safe Mode with Networking from the list that appears.
Now that youhave booted Windows 10/11 into Safe Mode with Networking, you can use network resources to visit a site and learn how to deal with various kinds of malware threats.
System Restore is a Windows recovery process that lets you return your computer to an earlier working state by activating a restore point. System Restore will only work if there are restore points on your computer already.
To get to the System Restore option, follow the steps needed to boot your computer into Safe Mode with Networking. But instead of choosing Startup Settings, choose System Restore. During the System Restore process you will be notified of the apps and settings that will no longer be available once a restore point has been activated. Make sure that the virus that you intend to remove makes is on the list of affected programs.
What else can you do? If all your attempts fail to remove the Zeppelin file from your computer, you can still pursue the nuclear option of resetting your computer or installing a new Windows version.
How Did the Zeppelin Malware Infect your Computer?
After suffering a terrible catastrophe such as an infection by the Zeppelin malware, it is common for folks to wonder how the malware was able to infiltrate their systems in the first place. Here are a few clues:
Do you have an antivirus on all your computers? Does your organization use two-factor authentication for all front-facing applications? Are all your systems and apps, including the Windows OS, up-to-date? Do you have a secure backup of your most important files? These are some of the questions that you should be asking yourself after an infection. They will help you identify areas of weaknesses.
Poor Web Surfing Habits
If you visit suspicious sites or ones that are not secured, you risk the possibility of downloading malware on your computer. You don’t even have to click on some file or something, sometimes the malware will just download itself automatically.
Poor Handling of Email Attachments
Most malware are spread through phishing campaigns that involve spam email that come with malicious links and attachments. Before you commit to responding to anything, verify the authenticity of the source.