Zeppelin is a file-encrypting ransomware family. It’s thought to be based on Buran (Buran’s transformation into Zeppelin). You might recognize Zeppelin ransomware by the file extensions that it gives to the file that it encrypts: a set of random 9 digits/symbols or the word “zeppelin”.
Even though Zeppelin is known for targeting organizations, individual PC users can also get infected with this ransomware.
Zeppelin Ransomware quicklinks
- How to recognize Zeppelin ransomware
- Signs of Zeppelin ransomware infection
- Changes made to files
- How Zeppelin infects computers
- How to deal with Zeppelin ransomware
- How to get your data back
- How to delete Zeppelin
- Automatic Malware removal tools
- How to recover Zeppelin Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Zeppelin Ransomware encrypted files
|Type of threat||Ransomware,
|Zeppelin infection symptoms||Files don’t open,
file names end with “zeppelin” or with a nine-digit number,
text files with ransom notes can be found in many folders.
|How to restore your data||Restore from your backups,
use data recovery tools,
keep an eye out for a free decryptor.
|How to remove Zeppelin ransomware||Use antivirus apps (, others) to find and delete malware,
secure your computer and your data.
How to recognize Zeppelin ransomware
Signs of Zeppelin ransomware infection
Zeppelin ransomware is a family of malicious programs. All variants of Zeppelin have slight differences, but they are all related.
They infect PCs, encrypt files, basically corrupting them. They then demand a ransom to be paid in exchange for the files being fixed.
Most file-encrypting ransomware infections have a few signatures, and so does Zeppelin ransomware:
- Backups are deleted, various processes are killed.
- New file type extensions to label the files that were encrypted.
- Content included in the encrypted files.
- Ransom notes with contact details and instructions to pay a ransom.
Changes made to files
Besides attempting to kill antivirus programs, Zeppelin also kills processes that might be using the files that it wants to encrypt. The ransomware then encrypts documents, text files, media, and various other file types.
When Zeppelin was just discovered (back in November of 2019), it was noticed that the encrypted files all started with the word “ZEPPELIN”.
The ransomware appends a new file type extension to the names of the files that it encrypts. The extensions associated with Zeppelin ransomware are sometimes just 9 random symbols, like this:
Other times, the word “zeppelin” is used. Yet other times, Zeppelin ransomware would append two file type extensions.
Zeppelin’s ransom notes include more data to identify the malware: the email addresses of the criminals. These email addresses vary a lot, here are a few examples:
The ransom notes vary, too. This is because Zeppelin is thought to be RaaS – ransomware as a service. Many different groups of cybercriminals are allowed to create their own version of Zeppelin and distribute it on the internet. If these criminals receive ransom payments from their victims, they share the money with the developers of Zeppelin ransomware.
How Zeppelin infects computers
Many separate groups of criminals distribute Zeppelin, which means that there are many different ways in which Zeppelin ransomware infects computers. We outline the most common ways in our post How ransomware spreads. In short, here are the likeliest culprits:
- malicious email attachments (PDF, Doc, other files),
- RPD break-ins (often thanks to weak login credentials),
- infected installers that were available online for free.
This article – Zeppelin Ransomware returns with a fresh wave of attacks – has an example of an email that downloads Zeppelin ransomware.
How to deal with Zeppelin ransomware
How to get your data back
If you don’t have a backup of your files, or if Zeppelin got your backups, then what can you do to get your files back?
No free decryption is yet possible. Zeppelin encryption can’t be broken, or at least no ransomware expert has done it so far. You could put all of the Zeppelin-encrypted files on a backup and check Nomoreransom.org periodically – that site lists free ransomware decryption tools.
It’s not recommended to deal with the extortionists behind Zeppelin:
- even if you pay the ransom, there’s no way to know if they’ll give you the tools to fix your files,
- even if they do give you the decryption tools and your unique decryption key, technical issues are likely to arise and could prevent you from recovering all of your data.
If you decide to contact the extortionists behind Zeppelin ransomware, then hide your identity so that these criminals can’t target you again.
You could use data recovery programs, such as EaseUS. They might be able to recover some of your data, though not all of it.
How to delete Zeppelin
But first, it’s important to get rid of Zeppelin so that it won’t cause any more problems.
You can delete malware with antivirus apps, like Spyhunter. It’s possible that Zeppelin is not the only threat on your computer (analysts have seen Clipbanker, a cryptocurrency stealer, being distributed with), so it’s good to check thoroughly.
If you suspect that you know how Zeppelin got on your computer, then make sure to plug that security hole as quickly as possible. Use secure passwords for your remote desktop accounts, don’t open suspicious email attachments, and only download software from reliable websites. Most importantly, make sure that your file backups are not vulnerable to ransomware.
Automatic Malware removal tools
How to recover Zeppelin Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Zeppelin Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Zeppelin RansomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Zeppelin Ransomware. You can check other tools here.
Step 3. Restore Zeppelin Ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Zeppelin Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Zeppelin Ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.