Ransomware Research

Zeppelin Ransomware

Zeppelin is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Buran-Zeppelin.

Quick facts

Ransomware Family

Zeppelin

First Seen

November 1, 2019

Known Aliases

Buran-Zeppelin

How Zeppelin ransomware works

File encryption patterns

Zeppelin modifies encrypted files using specific patterns to mark them as encrypted:

Extensions added after encryption

.zeppelin./\.[A-F0-9]{3}-[A-F0-9]{3}-[A-F0-9]{3}$/./\.payfast[A-F0-9]{3}.[A-F0-9]{3}-[A-F0-9]{3}-[A-F0-9]{3}$/.kikiriki.payfast500.payfast290.@payfast500./\.@KUKANOSSOSANOS\.[A-F0-9]{3}-[A-F0-9]{3}-[A-F0-9]{3}$/./\.v-society\.[A-F0-9]{3}-[A-F0-9]{3}-[A-F0-9]{3}$/

Ransom note and payment demands

After encrypting files, Zeppelin displays ransom notes demanding payment for file recovery:

filereadme.txt

notes/readme.txt

file!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

notes/!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Location: EveryFolder

fileWarning!.txt

notes/Warning!.txt

Location: EveryFolder

fileRECOVERY DATA INFORMATION.TXT

notes/RECOVERY DATA INFORMATION.TXT

file!!! HOW TO BACK YOUR FILES !!!.TXT

notes/!!! HOW TO BACK YOUR FILES !!!.TXT

Location: EveryFolder

fileYOUR FILES ARE STEALED AND ENCRYPTED.txt

Technical indicators

Associated executable files

The following executable files are associated with Zeppelin ransomware:

iexplore.exe
GOOGLECRASHHANDLER.EXE
NisSrv.exe
MFEVTPS.EXE
firefox.exe
av.exe
ShellExperienceHost.exe
zeppelin.exe
1767D234-B440-8A0A-8098-4692C8B2B5A8_unlocker.exe
oxfordnew.exe
on.exe
hhhhhh.bin
smss.exe
TrustedInstaller.exe
logo2.exe
trustedinstaller.exe
zeppelin.bin
svchost.exe
fgnsnfgsfgsn
gnfsnfgn
234561.exe
spoolsv.exe
044
services.exe
Aksip.exe
explorer.exe
4LYY3VHO.exe
taskeng.exe
lsass.exe
March, 4.scr
mWfJm
6378.exe
bced.exe
LilDroidSoftwareload.exe
file168_svchost.exe
pattern.exe
csrss.exe

About this analysis

This Zeppelin ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like Zeppelin.

Last updated: December 30, 2025

Detection coverage

Elastio detects Zeppelin inside your data and backups.

The Hunt Engine uses Deep File Inspection to identify Zeppelin across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.

See How the Hunt Engine Works Request a Demo

Recent ransomware

Explore other threats in our database

Wxlongda2025 VeilCrypt2025 TitanLabooboo2025 SolidBit2022 SnapHackLocker2024 PySystemUpdate2025 PySimCrypt2025 Monkey2025 Lol2025 HWID2025

View all ransomware →

Zeppelin Ransomware

Quick facts

How Zeppelin ransomware works

File encryption patterns

Ransom note and payment demands

Technical indicators

Associated executable files

About this analysis

Elastio detects Zeppelin inside your data and backups.

Recent ransomware

Product

Sales

Support

Company

Solutions

Partners

Resources

Security

Social

Compare