ZEPPELIN

Zeppelin is a ransomware family active in attacks observed between at least 2019 and 2022. The provided content links Zeppelin to a ransomware operation allegedly led by Russian national Ianis Aleksandrovich Antropenko, who pleaded guilty to leading the Zeppelin ransomware group and admitted targeting more than 50 victims worldwide during that period. Reporting in the content states Zeppelin targeted individuals, businesses, and organizations in the United States and other parts of the world.

The malware is repeatedly described as a third-party locker used by other threat actors rather than being exclusive to a single intrusion set. Most notably, Vice Society/Vanilla Tempest/DEV-0832 is repeatedly reported to have deployed Zeppelin in its intrusions, alongside other ransomware families such as Hello Kitty/Five Hands, BlackCat, Quantum Locker, Rhysida, and later INC and Ink. In Vice Society-related reporting, Zeppelin was used in campaigns disproportionately affecting the education sector, especially K-12 institutions, and also in healthcare and manufacturing intrusions. Initial access associated with those intrusions included exploitation of internet-facing applications, compromised valid accounts, abuse of RDP, and exploitation of PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527. Vice Society operations involving Zeppelin also included double extortion, with data exfiltration prior to encryption.

A concrete Vice Society-related observation in the content notes deployment of Zeppelin ransomware on November 12, 2022 at path C:\mnt\smile.exe. The same reporting describes surrounding attacker activity including use of Cobalt Strike, Rubeus, Mimikatz, PowerShell, disabling Windows Defender protections, creation of administrator accounts, termination of security and business-critical processes, exfiltration of files, deletion of shadow copies, and impact to virtual servers such as Microsoft Hyper-V. The content also notes infrastructure overlap reporting in which IP address 34.41.139.193 was associated with multiple malware families including Zeppelin ransomware, though no direct operational conclusion beyond shared infrastructure is provided.

Additional content references place Zeppelin in broader ransomware ecosystem relationships and overlaps. It is mentioned as one of the ransomware strains cycled through by Vice Society/Vanilla Tempest over time, and one report notes overlaps between COLDDRAW and Zeppelin, with Zeppelin reportedly distributed via CHANITOR. Another report states Zeppelin samples were found among tooling recovered during a Netwalker-related investigation. High-confidence indicators directly mentioned in the content for Zeppelin itself are limited, but include the observed file path C:\mnt\smile.exe and the shared infrastructure reference to 34.41.139.193.