article featured image


Zeppelin ransomware first spotted in November 2019, is now “back in town“! According to BleepingComputer, Zeppelin ransomware developers started to be operative again following a temporary hiatus that started last autumn and began to make public new versions of the malware.

Last month, a new version of the malware became accessible to threat actors operating in the ransomware sphere on a hacker forum, giving them absolute autonomy.

It is believed that the Zeppelin ransomware is a version of the infamous Vega/VegaLocker ransomware. What makes it different though is the fact that, unlike Vega that targets devices in Russia and Eastern Europe, Zeppelin appears to be more interested in infecting computer systems in the U.S. and Europe.

Even if the Zeppelin ransomware is similar in so many ways to VegaLocker, even sharing its malicious code, the gang is distinct as they are created by different groups.

For example, the Zeppelin ransomware targets IT and health care organizations in different parts of the world. But just like the Vega lockers malware, Zeppelin is believed to be a RaaS (Ransomware-as-a-service) that can be bought on Russian hacking forums on the dark web.

Operators behind the Zeppelin Ransomware-as-a-Service (RaaS) sell their new version on clandestine forums, allowing customers to choose how they want to employ the virus.

The difference is that in typical RaaS campaigns, developers usually seek affiliates to attack a victim network, steal data and install the file-encrypting virus. The operators and their partners then split the ransom payment.

Usually, ransomware developers gang gets around 25% of a ransom payment, and the rest is taken by the affiliate who organized the attack.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Security organization Advanced Intel team has discovered the Zeppelin ransomware gang has started to be active again in March.

AdvIntel head of research Yelisey Boguslavskiy stated in an intelligence report that the latest Zeppelin variant comes with a price tag of $2,300 per core build.

They announced “a major update for the software” together with a new period of sales. After the update, the operators behind Zeppelin ransomware launched a brand-new version of the virus at end of April. The new version brings some small changes regarding its characteristics but improved the encryption’s firmness.

Regular clients were assured by the operators that the malware is a work in progress and mentioned that the loyal ones will benefit from special treatment.

The gang stated:

We continue to work. We provide individual conditions and a loyal approach for each subscriber, the conditions are negotiable. Write to us, and we will be able to agree on a mutually beneficial term of cooperation.


Advanced Intel researchers showed that even if the Zeppelin ransomware group doesn’t execute an ordinary RaaS model, they could make it more difficult to fight the virus as access to the malware enable other developers to steal features for their products.

The security firm states that Zeppelin customers are independent purchasers that do not complicate their attacks and depend on common initial attack vectors like RDP, VPN vulnerabilities, and phishing.

Unlike other ransomware, Zeppelin developers don’t steal information from the victims and don’t run a leak site.

AdvIntel suggests surveilling and investigating external remote desktop and VPN connections as an efficient protection method against the Zeppelin ransomware group.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *