Severity scale:  
  (96/100)

Remove ZEPPELIN ransomware (Removal Guide) - Quick Decryption Solution

removal by Jake Doevan - - | Type: Ransomware

ZEPPELIN ransomware is a crypto virus that locks data with AES and then demands ransom in Bitcoin

ZEPPELIN ransomware
ZEPPELIN ransomware is crypto malware that applies a secure AES encryption algorithm to lock pictures, music, documents, and other data on the machine

ZEPPELIN ransomware is malware that renders all the files on the host machine completely useless, and then blackmails victims into paying a ransom in Bitcoin or another cryptocurrency. First spotted in late November 2019, this virus belongs to Buran ransomware family and functions very similarly to its previous versions.

As a general rule, ZEPPELIN ransomware infects users using various deceptive methods that involve phishing techniques, so they only later realize what happened. Nevertheless, the malware ensures that everything is clear to victims post-infection, as it drops a ransom note under the name of readme.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt. Another sign of ZEPPELIN virus infection is the appendix added to all the compromised files – it consists of nine randomly-generated characters, for example, .126-A9A-0E9.

Questions about ZEPPELIN ransomware

The message states that users cannot retrieve their files unless they contact hackers via zeppelindecrypt@420blaze.it, zeppelin_helper@tuta.io, or angry_war@protonmail.ch emails and pay them a ransom. While it is true that no Zeppelin ransomware decryptor is currently available, paying criminals is risky, as they might simply scam victims and never contact them again.

Name ZEPPELIN ransomware
Type File locking malware, cryptovirus
Malware family The virus is a version Buran ransomware family, which is a descendant of VegaLocker
Encryption algorithm  All files are locked with the help of sophisticated AES encryption algorithm – it uses symmetric keys to lock and unlock the data 
File extension  Non-system files are appended with a randomly-generated marker that consists of nine characters (numbers and letters)
Ransom note  Users can find ransom note on the desktop of within the folders of affected files – readme.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt
Contact  Emails zeppelindecrypt@420blaze.it, zeppelin_helper@tuta.io, or angry_war@protonmail.ch 
Detection

According to Virus Total, Zeppelin ransomware is detected by various AV vendors under the following names:

  • Malware/Win32.Generic.C3574288
  • Trojan:Win32/Occamy.C
  • W32/Buran.H!tr.ransom
  • HEUR:Trojan.Win32.Agent.gen
  • DFI – Malicious PE
  • A Variant Of Win32/Filecoder.Buran.H
  • Generic.Ransom.Buhtrap.9E656C86, etc,
File decryption There is a small chance of restoring encrypted files with file recovery software or by using Windows Previous Versions feature, although chances are low. The only secure and free way to recover data is by using backups, as paying ransom to cybercriminals does not guarantee positive results
Removal To get rid of malware from the system, you should scan your computer with reputable anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes
Windows system fix In case malware damaged certain system files that have a profound effect on the system's operation, we suggest scanning the machine with Reimage Reimage Cleaner – it could fix all the virus damage and restore Windows registry

Just like any other file locking malware, ZEPPELIN ransomware executes various changes before performing the encryption process. For example, it creates various folders in the C drive and drops multiple files, opens and sets registry keys, deletes Shadow Volume Copies by using “vssadmin.exe Delete Shadows /All /Quiet” command, creates new and terminates processes, etc.

Due to these changes, the Windows system might start not to function as intended and start returning errors or crashing. In such a case, experts advise using Reimage Reimage Cleaner to fix virus damage quickly. Additionally, for ZEPPELIN ransomware removal, victims should employ reputable anti-malware software and perform a full system scan in Safe Mode with Networking (not always required).

After all the preparations are complete, the ZEPPELIN virus starts the file encryption process. It targets most commonly-used file types, such as .pdf, .doc, .msi, .txt, .jpg, .dat, and others. The time of the encryption process depends on the size of the affected hard drive, as well as connected external devices and networks. After this, the malware also contacts its remote server where it retrieves the AES[1] key from. Each file encrypted in such a way is transformed – a blank icon is shown, and an additional extension is added. Thus, the infected users can expect to see a picture.jpg to be turned into picture.jpg.126-A9A-0E93.

ZEPPELIN ransomware virus
ZEPPELIN ransomware is a file locking virus that stems from Buran ransomware family

After the data locking process, ZEPPELIN ransomware drops a message which can be accessed via desktop or the encrypted files' folders. It states:

—=== Welcome. Again. ===—
[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 126-A9A-0E9
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.To be sure we have the decryptor and it works you can send an email: zeppelindecrypt@420blaze.it and decrypt one file for free.
But this file should be of not valuable!
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.

Write to email: zeppelindecrypt@420blaze.it
Reserved email: zeppelin_helper@tuta.io
Reserved jabber: zeppelin_decrypt@xmpp.jp

Your personal ID: 126-A9A-0E9

!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

It is a known tactic of cybercriminals to add an option of test decryption, as they are trying to establish a false sense of security. However, there are countless instances where victims of ransomware did not receive the decryption tool, even after paying the requested money.[2] Thus, rather remove ZEPPELIN ransomware with anti-malware, and then use alternative recovery methods as provided below.

Note that hackers do not bluff when they say that the removal of ZEPPELIN ransomware could result in permanent data loss. To mitigate that, users should make a copy of locked files just in case.

Malware distribution methods vary – users should be more careful online

While many malware samples are quite difficult to get infected with, some advanced distribution methods might fool even those aware of online threats. Nevertheless, most of the ransomware infections occur with the help of some sort of social engineering or simple deception. Additionally, some users are aware of dangers but are still willing to risk malware infections – software cracks and pirated installers are one of the reasons why Djvu ransomware is so prominent nowadays. Therefore, users should not put themselves under unnecessary danger and never attempt to download cracking tools from torrent and similar sites in the first place.

ZEPPELIN ransomware encrypted files
Unfortunately, there is not ZEPPELIN ransomware decryptor currently available

There are several other security measures that users should pay close attention to, as explained by security experts from novirus.uk:[3]

  • Install reputable security software capable of comprehensively protecting your machine in real-time;
  • Apply all the Windows security patches without delaying them; 
  • Set all your installed software (especially such flawed components like Flash[4] or Java) to be updated automatically;
  • Do not allow email attachments to execute a macro function, i.e., do not press “Allow content” once the MS Word or other document is opened; also, do not click on hyperlinks from unsolicited emails;
  • Use strong passwords for all your accounts and apply two-factor authentication method where possible;
  • Do not reuse your passwords;
  • Turn of Remote Desktop connection when not used;
  • Enable ad-blocking extensions;
  • Turn off JavaScript autorun function.

Backup the encrypted data and then remove ZEPPELIN ransomware from your Windows machine

ZEPPELIN virus is ransomware, meaning that at its core, it is a complicated infection that is programmed to perform many different tasks once it infects the host. While some cryptoviruses self-delete, others lurk inside to encrypt all the new incoming files. In the latter case, ZEPPELIN ransomware removal is required prior to attempting data recovery. For that, victims should access Safe Mode with Networking and perform a full system scan to ensure that all the malicious components are eliminated. In case Windows struggles to function well after, the use of Reimage Reimage Cleaner is recommended.

Note, before you remove ZEPPELIN ransomware, it is just as equally important to make a backup of encrypted files on an external drive or a remote server. As already mentioned, the usage of anti-malware can damage the data and render it useless forever.

Options for data recovery include:

  • Restoring from backups (safest and best way);
  • Using third-party data recovery software (low chance of success);
  • Paying cybercriminals for the ZEPPELIN ransomware decryptor (not recommended, as chances of being scammed remain).

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove ZEPPELIN virus, follow these steps:

Remove ZEPPELIN using Safe Mode with Networking

Remove ZEPPELIN ransomware in Safe Mode if you were unsuccessful when scanning the device with anti-malware in normal mode:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove ZEPPELIN

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete ZEPPELIN removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove ZEPPELIN using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ZEPPELIN. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that ZEPPELIN removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ZEPPELIN from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by ZEPPELIN, you can use several methods to restore them:

Data Recovery Pro software might work

The less you use the computer post-infection of ransomware, the more chances you have of recovering at least some of your data encrypted by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ZEPPELIN ransomware;
  • Restore them.

Windows Previous Versions Feature might be the answer

If you had System Restore enabled before the infection, you might be lucky and recover some files one-by-one with Windows Previous Versions Feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might restore all your files

Download ShadowExplorer – this tool should be able to restore all your files if the Zeppelin virus failed to remove Shadow Volume Copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ZEPPELIN and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References


Your opinion regarding ZEPPELIN ransomware