Ransomware Zeppelin Targets North American Healthcare, Managed Service Providers

Ransomware Targets Healthcare, Managed Service Providers
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

by Andrew Ange, Avertium Healthcare Consultant

A new ransomware named “Zeppelin” is making its way across Europe and the United States. First reported on November 6, 2019,  ransomware Zeppelin continues to target healthcare companies, managed service providers and other technology companies. 

Background on Zeppelin

According to a report by the Cylance Threat Research Team, the malware was developed to be broad-based in order to target software and healthcare companies.

Based on the same software and features as its predecessor, VegaLocker, Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family, according to the BlackBerry Cylance Threat Research team.

VegaLocker samples were first found on Yandex.Direct, a Russian online advertising network, in a malvertising operation earlier in 2019.

The Ransomware Attack

This spin-off ransomware is being used to specifically target healthcare and Managed Service Provider (MSP) companies in America. Described as “highly configurable,” from siliconangle.com, Zeppelin can be deployed or bundled in a PowerShell loader in multiple ways, including as a .exe file or a.dll file.

Zeppelin ransomware features a number of tools: an IP logger, the capacity to erase copies, a task killer, auto-unlock, an Account Control Fast and a “melt” function to insert a Windows Notepad thread. Some of the binaries found have been signed and hosted on GitHub with a valid certificate.

Because the ransomware was designed to stop running on computers in the former USSR, Zeppelin’s source is believed to be Russia or a similar former Soviet-bloc country.

The Infection

Zeppelin ransomware can also be distributed through malvertising operations and watering hole attacks (infecting websites that members of the company are known to visit), and many believe the attackers will expand their delivery vehicles to phishing email campaigns and infiltrating automated software updates from approved providers.

Like many other ransomware software, Zeppelin performs different changes before the encryption process is performed. According to the Cylance Threat Research Team, the malware creates different folders in the C: drive, for example, and drops multiple files, opens and sets registry keys, deletes shadow volume copies by using the command “vssadmin.exe Delete Shadows / All / Quiet,” creates new processes, and terminates processes, etc.

Upon initial execution (without parameters), the malware checks the victim’s country code to make sure it’s not running in any of the following countries:

  • Russian Federation
  • Ukraine
  • Belorussia
  • Kazakhstan

Depending on the options set during the building process, it either checks the machine’s default language and default country calling code or uses an online service to obtain the victim’s external IP address.

The malware creates an empty file in the %TEMP% directory with the “.zeppelin” extension and a name that is a CRC32 hash of the malware path.

Protecting Your Organization

While it is true that there is currently no Zeppelin ransomware decryptor available, it is risky to pay criminals as they are known to scam targets and never make contact again. There is a small chance of restoring encrypted files with file recovery software or by using Windows Previous Versions feature.  

U.S. Department of Health and Human Services, the FBI and many security experts agree that health organizations should not pay the ransom money demanded by cyber attackers. The only secure and free way to recover data is by using backups, as paying the ransom does not guarantee positive results.


Organizations should remember these keys to protect their information and company from attacks like Zeppelin:

  • Conduct routine vulnerability scans on the network and remediate in a timely manner (i.e. within 30 days for High and Critical severity findings)
  • Perform regular backups that are disconnected from the network
  • Educate users on basic security guidelines, especially holiday-related phishing emails or malvertising
  • Secure ports and services that are exposed to the internet
  • Secure remote access tools as they can be used as entry points
  • Employ the principle of least privilege and regularly monitor your network for threats

Contact us for more information about Avertium’s managed detection and response service capabilities. 

This informed analysis is based on the latest data available at the time of publication.


Cylance Article

Supporting Documentation

ZDNet Article
TrendMicro Article
siliconANGLE Article

Andrew Ange, CCSFP

Andrew Ange, CCSFP

Andrew Ange is a healthcare consultant with Avertium. Andrew specializes in HIPAA and HITRUST compliance and has extensive experience designing, developing, managing and implementing IT security solutions in compliance with IT security standards and best practices.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates