ZEPPELIN virus Removal Guide
What is ZEPPELIN ransomware?
ZEPPELIN ransomware is a crypto virus that locks data with AES and then demands ransom in Bitcoin
ZEPPELIN ransomware is crypto malware that applies a secure AES encryption algorithm to lock pictures, music, documents, and other data on the machine
ZEPPELIN ransomware is malware that renders all the files on the host machine completely useless, and then blackmails victims into paying a ransom in Bitcoin or another cryptocurrency. First spotted in late November 2019, this virus belongs to Buran ransomware family and functions very similarly to its previous versions.
As a general rule, ZEPPELIN ransomware infects users using various deceptive methods that involve phishing techniques, so they only later realize what happened. Nevertheless, the malware ensures that everything is clear to victims post-infection, as it drops a ransom note under the name of readme.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt. Another sign of ZEPPELIN virus infection is the appendix added to all the compromised files – it consists of nine randomly-generated characters, for example, .126-A9A-0E9.
The message states that users cannot retrieve their files unless they contact hackers via firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org emails and pay them a ransom. While it is true that no Zeppelin ransomware decryptor is currently available, paying criminals is risky, as they might simply scam victims and never contact them again.
|Type||File locking malware, cryptovirus|
|Malware family||The virus is a version Buran ransomware family, which is a descendant of VegaLocker|
|Encryption algorithm||All files are locked with the help of sophisticated AES encryption algorithm – it uses symmetric keys to lock and unlock the data|
|File extension||Non-system files are appended with a randomly-generated marker that consists of nine characters (numbers and letters)|
|Ransom note||Users can find ransom note on the desktop of within the folders of affected files – readme.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt|
|Contact||Emails email@example.com, firstname.lastname@example.org, or email@example.com|
According to Virus Total, Zeppelin ransomware is detected by various AV vendors under the following names:
|File decryption||There is a small chance of restoring encrypted files with file recovery software or by using Windows Previous Versions feature, although chances are low. The only secure and free way to recover data is by using backups, as paying ransom to cybercriminals does not guarantee positive results|
|Removal||To get rid of malware from the system, you should scan your computer with reputable anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes|
|Windows system fix||In case malware damaged certain system files that have a profound effect on the system's operation, we suggest scanning the machine with ReimageIntego – it could fix all the virus damage and restore Windows registry|
Just like any other file locking malware, ZEPPELIN ransomware executes various changes before performing the encryption process. For example, it creates various folders in the C drive and drops multiple files, opens and sets registry keys, deletes Shadow Volume Copies by using “vssadmin.exe Delete Shadows /All /Quiet” command, creates new and terminates processes, etc.
Due to these changes, the Windows system might start not to function as intended and start returning errors or crashing. In such a case, experts advise using ReimageIntego to fix virus damage quickly. Additionally, for ZEPPELIN ransomware removal, victims should employ reputable anti-malware software and perform a full system scan in Safe Mode with Networking (not always required).
After all the preparations are complete, the ZEPPELIN virus starts the file encryption process. It targets most commonly-used file types, such as .pdf, .doc, .msi, .txt, .jpg, .dat, and others. The time of the encryption process depends on the size of the affected hard drive, as well as connected external devices and networks. After this, the malware also contacts its remote server where it retrieves the AES key from. Each file encrypted in such a way is transformed – a blank icon is shown, and an additional extension is added. Thus, the infected users can expect to see a picture.jpg to be turned into picture.jpg.126-A9A-0E93.
ZEPPELIN ransomware is a file locking virus that stems from Buran ransomware family
After the data locking process, ZEPPELIN ransomware drops a message which can be accessed via desktop or the encrypted files' folders. It states:
—=== Welcome. Again. ===—
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 126-A9A-0E9
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.To be sure we have the decryptor and it works you can send an email: firstname.lastname@example.org and decrypt one file for free.
But this file should be of not valuable!
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.
Write to email: email@example.com
Reserved email: firstname.lastname@example.org
Reserved jabber: email@example.com
Your personal ID: 126-A9A-0E9
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions – its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
It is a known tactic of cybercriminals to add an option of test decryption, as they are trying to establish a false sense of security. However, there are countless instances where victims of ransomware did not receive the decryption tool, even after paying the requested money. Thus, rather remove ZEPPELIN ransomware with anti-malware, and then use alternative recovery methods as provided below.
Note that hackers do not bluff when they say that the removal of ZEPPELIN ransomware could result in permanent data loss. To mitigate that, users should make a copy of locked files just in case.
Malware distribution methods vary – users should be more careful online
While many malware samples are quite difficult to get infected with, some advanced distribution methods might fool even those aware of online threats. Nevertheless, most of the ransomware infections occur with the help of some sort of social engineering or simple deception. Additionally, some users are aware of dangers but are still willing to risk malware infections – software cracks and pirated installers are one of the reasons why Djvu ransomware is so prominent nowadays. Therefore, users should not put themselves under unnecessary danger and never attempt to download cracking tools from torrent and similar sites in the first place.
Unfortunately, there is not ZEPPELIN ransomware decryptor currently available
There are several other security measures that users should pay close attention to, as explained by security experts from novirus.uk:
- Install reputable security software capable of comprehensively protecting your machine in real-time;
- Apply all the Windows security patches without delaying them;
- Set all your installed software (especially such flawed components like Flash or Java) to be updated automatically;
- Do not allow email attachments to execute a macro function, i.e., do not press “Allow content” once the MS Word or other document is opened; also, do not click on hyperlinks from unsolicited emails;
- Use strong passwords for all your accounts and apply two-factor authentication method where possible;
- Do not reuse your passwords;
- Turn of Remote Desktop connection when not used;
- Enable ad-blocking extensions;
Backup the encrypted data and then remove ZEPPELIN ransomware from your Windows machine
ZEPPELIN virus is ransomware, meaning that at its core, it is a complicated infection that is programmed to perform many different tasks once it infects the host. While some cryptoviruses self-delete, others lurk inside to encrypt all the new incoming files. In the latter case, ZEPPELIN ransomware removal is required prior to attempting data recovery. For that, victims should access Safe Mode with Networking and perform a full system scan to ensure that all the malicious components are eliminated. In case Windows struggles to function well after, the use of ReimageIntego is recommended.
Note, before you remove ZEPPELIN ransomware, it is just as equally important to make a backup of encrypted files on an external drive or a remote server. As already mentioned, the usage of anti-malware can damage the data and render it useless forever.
Options for data recovery include:
- Restoring from backups (safest and best way);
- Using third-party data recovery software (low chance of success);
- Paying cybercriminals for the ZEPPELIN ransomware decryptor (not recommended, as chances of being scammed remain).
Getting rid of ZEPPELIN virus. Follow these steps
Manual removal using Safe Mode
Remove ZEPPELIN ransomware in Safe Mode if you were unsuccessful when scanning the device with anti-malware in normal mode:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove ZEPPELIN using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of ZEPPELIN. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove ZEPPELIN from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by ZEPPELIN, you can use several methods to restore them:
Data Recovery Pro software might work
The less you use the computer post-infection of ransomware, the more chances you have of recovering at least some of your data encrypted by ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by ZEPPELIN ransomware;
- Restore them.
Windows Previous Versions Feature might be the answer
If you had System Restore enabled before the infection, you might be lucky and recover some files one-by-one with Windows Previous Versions Feature.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might restore all your files
Download ShadowExplorer – this tool should be able to restore all your files if the Zeppelin virus failed to remove Shadow Volume Copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ZEPPELIN and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ZEPPELIN ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.