{
	"id": "a4426b13-37de-4b1f-837e-cb0dc596c54e",
	"created_at": "2026-04-06T00:16:36.539492Z",
	"updated_at": "2026-04-10T03:21:59.459862Z",
	"deleted_at": null,
	"sha1_hash": "c3e843e4dbb44bbdcc6619dc21ea843c3edb1ad1",
	"title": "Ransomware on the Rise: Buran’s transformation into Zeppelin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 809796,
	"plain_text": "Ransomware on the Rise: Buran’s transformation into Zeppelin\r\nBy G DATA Security Center\r\nPublished: 2020-06-30 · Archived: 2026-04-05 13:41:24 UTC\r\n06/30/2020\r\nReading time: 5 min (1451 words)\r\nRansomware is still evolving. Evidence for this can be seen every day. Our analysts have taken a look at Buran\r\nand Zeppelin, a particularly devastating exhibit of this evolution.\r\nRansomware made a strong comeback in 2019 after its hiatus in 2018. Many high-profile attacks were reported by\r\nthe end of 2019[1]. According to Emsisoft, in U.S. alone, the victims of ransomware include at least 113\r\ngovernment agencies, 89 educational establishments and 764 healthcare providers. The total amount of ransom\r\ndemands tallies over $7.5 billion . [2]. In a report by Coveware, the average cost of ransom payment increased by\r\n104% from third to fourth quarter of 2019[3]. It is therefore hardly surprising that cybercriminals are enticed once\r\nagain into developing and creating new ransomware variants. Amongst the prevalent ransomware last year was the\r\nBuran ransomware that emerged early May 2019 and continues to proliferate until now. In a matter of just 9\r\nmonths, this ransomware released over 5 updates by changing its code and attack vectors in order to stay stealthy\r\nand cause more damage.  By the end of last year, a new variant of ransomware known as Zeppelin was released.\r\nUpon initial analysis of Zeppelin, certain behaviors and parts of its source code have been found to have\r\nsimilarities with Buran. This led us to identify Zeppelin as a new variant of Buran.\r\nDisablesbackup tools (e.g.\r\nshadowcopy)\r\nDecrypts malicious code and\r\nre-write at the image base\r\naddress\r\nConnects to the internet to\r\ncheck for the geolocation of\r\nthe user.\r\nDropsa copy of itself at the\r\n%APPDATA%\r\nCreates a new instance of\r\nitself with “-agent 0” argument\r\nOpens ar ansomnoteusing\r\nnotepad.exe\r\nCreates the registry entry:\r\nBuran:H KCUS\\ oftware\\Buran\\\r\nZeppelin:H KCUS\\ oftware\\Buran\r\nZeppelin\\\r\nDrops a ransom note in\r\ntext file format\r\nExecutes dropped copy with\r\n“-start” argument from a new\r\nlocation\r\nZeppelin Ransomware\r\nNovember 2019\r\nCreates a new instance of\r\nitself with “-agent 1” argument\r\nCreates a new instance of\r\nitself with “-agent 0”\r\nEncrypts files on every\r\ndirectory not included in its list\r\nof whitelisted files, folders and\r\nfiletypes.\r\nDrops a clipboard banker\r\nMonitors for cryptocurrency\r\naddress in clipboard\r\nSets persistence by creating\r\nan entry inA utoRunregistry.\r\nTerminates blacklisted\r\nprocesses\r\n1\r\n2\r\n3\r\n4\r\n4\r\n5\r\n6 6\r\n8 9\r\n7\r\na\r\n10\r\n9\r\n7\r\n8\r\n11\r\n12\r\n11\r\n10\r\nBuran Ransomware\r\nMay 2019\r\nBuran and Zeppelin ransomware Overview\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 1 of 8\n\nAttack Vector\r\nZeppelin is reaching its target networks primarily through phishing emails. These emails contain macro-enabled\r\ndocuments that will initiate the download and execution of the ransomware file on the victim’s machine.\r\n Moreover, other Zeppelin samples were also distributed through malicious advertisements (malvertising) that are\r\ndesigned to trick its victims into clicking fake advertisements which will trigger the download of the malicious\r\nfile. Lastly, Zeppelin, like other ransomware, utilizes the use of public remote desktop software via web interfaces\r\nto remotely control a victim’s machine and execute the ransomware.\r\nInstallation\r\nLike Buran, Zeppelin will allocate a space in memory. When  executed, it will perform its decryption routine.\r\nHowever, compared to Buran’s straight forward routine, Zeppelin has some changes to its code. For instance, it\r\nnow harvests application programming interface(APIs) that it will use later by loading it in the stack. After\r\ndecrypting, it will re-write the decrypted code to the base address of the file and execute it. It uses this obfuscation\r\ntechnique to make the analysis and signature detection of the file difficult.\r\nHarvesting of API\r\nThe main similarities of Zeppelin with Buran are its several system checks. It will first attempt to connect to the\r\ninternet to make a query to hxxp://geoiptool.com. This isa valid web service that checks the geolocation of a\r\nsystem with the use of an IP address,to verify where the file is currently being executed. If found to be running in\r\neither Ukraine, Belarus, Kazakhstan or Russian Federation, it won’t proceed with its infection and terminate\r\ninstantly. The malware authors did this to make sure that the ransomware won’t infect any user living at the\r\nmentioned countries. This could be a hint that the ransomware originated from any of these countries.\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 2 of 8\n\nHarvesting of API\r\nCountry Protection Check\r\nZeppelin also creates a registry key that will be used to store data. In the early variants of Zeppelin, it still creates\r\na “Buran” registry key which was later changed to Zeppelin. This is one of the links between Buran and Zeppelin.\r\nCompared to Buran, which just creates several instances of itself, Zeppelin drops an executable file inside the\r\n%APPDATA% directory with a filename randomly chosen from a list of possible names. To ensure its persistence,\r\nit adds an autorun key to the registry that points to the path of the dropped file.\r\nCompared to Buran, which just creates several instances of itself, Zeppelin drops an executable file inside the\r\n%APPDATA% directory with a filename randomly chosen from a list of possible names. To ensure its persistence,\r\nit adds an autorun key to the registry that points to the path of the dropped file. The dropped file is a copy of itself\r\nwhich will be executed by using the “Shell Execute” API with “-start” argument.\r\nExecution of its copy with “-start”\r\nSecond Instance\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 3 of 8\n\nDiscovery of victim’s IP address using iplogger.org\r\nUpon execution of the dropped copy, it will decrypt the contents of its ransom note, then store it in an allocated\r\nmemory space for later use. Meanwhile, it will connect once again to the Internet and make a query to\r\ngeoiptools.com to recheck where it was executed. After that, it will initiate a connection to iplogger.org, once\r\nagain a legitimate web service used to track IP addresses, with the user-agent field id set to “ZEPPELIN” and the\r\nreferrer field containing the unique ID of the victim. The malware author can use the IPLogger service to view the\r\nlist of victims Zeppelin ransomware has.\r\nThe processes running in the victim’s system will be checked against a list of applications associated with\r\nmonitoring system processes and services, database, backups and web services. If the name of the process can be\r\nfound in the list, Zeppelin will force terminate the said processes, to ensure that maximum number of important\r\ndata files will be encrypted.\r\nagntsvc.exe msaccess.exe sql.exe\r\nagntsvc.exeagntsvc.exe msftesql.exe sqlagent.exe\r\nagntsvc.exeencsvc.exe mspub.exe sqlbrowser.exe\r\nagntsvc.exeisqlplussvc.exe mydesktopqos.exe sqlserver.exe\r\nanvir.exe mydesktopservice.exe sqlservr.exe\r\nanvir64.exe mysqld-nt.exe sqlwriter.exe\r\napache.exe mysqld-opt.exe synctime.exe\r\nbackup.exe mysqld.exe taskkill.exe\r\nccleaner.exe ncsvc.exe tasklist.exe\r\nccleaner64.exe ocautoupds.exe taskmgr.exe\r\ndbeng50.exe ocomm.exe tbirdconfig.exe\r\ndbsnmp.exe ocssd.exe tomcat.exe\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 4 of 8\n\nencsvc.exe oracle.exe tomcat6.exe\r\nfar.exe u8.exe firefoxconfig.exe\r\nprocexp.exe ufida.exe infopath.exe\r\nregedit.exe visio.exe isqlplussvc.exe\r\nsqbcoreservice.exe xfssvccon.exe kingdee.exe\r\nThe second instance of Zeppelin enables the malware author to drop a version of Clipbanker in the\r\n%appdata%\\local\\temp directory and  execute it as “winupas.exe”. This clipbanker is responsible for monitoring\r\nthe system’s clipboard for any strings that matches a cryptocurrency address.  If a match is identified, clipbanker\r\nwill replace the string to that of the malware author’s cryptocurrency address so that any amount of\r\ncryptocurrency to be transferred will be redirected to the malware author’s address. After that, Zeppelin will create\r\nanother instance of itself with “-agent 0” argument.\r\nThird instance\r\nListing of all available drives\r\nThe third instance of Zeppelin is mainly for file encryption. First it will check available drives in the system by\r\niterating drives from Z:\\ to A:\\. It only looks for certain drive types which are: unknown, removable, fixed, remote\r\nand RAM disk drives.\r\nThen, all directories except Windows Operating System-related, Internet browsers and among other folders, will\r\nbe traversed to encrypt all files in it. These whitelisted folders and its files are avoided to ensure the proper\r\nexecution of the malware.\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 5 of 8\n\nWhitelisted File Paths\r\nOne of the evident changes in Zeppelin is that the infection coverage is wider as it infects more filetypes than\r\nBuran. For instance, Zeppelin not only infects document files but also executable files with “.exe” extension. This\r\nmakes Zeppelin more destructive than Buran as it renders the victim’s machine pretty much unusable by\r\nencrypting all software installed, unless the installation path is included in the whitelisted file paths. Every\r\nZeppelin encrypted file can easily be distinguished by an infection marker “ZEPPELIN” that can be seen at the\r\nbeginning of the file’s content. This infection marker makes it distinct from Buran, but at the same time an\r\nindication that they are from the same family as they both leave infection markers at the start of each file using the\r\nsame encryption routine. After all files in the directory are encrypted, a ransom note in text file format will be\r\ndropped. Lastly, it will open a ransom note using notepad.exe to inform the victim of the infection.\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 6 of 8\n\nRansom Note displayed by Zeppelin\r\nConclusion\r\nIn this day where we create faster solutions and detections, malware authors also adapt to this by creating and\r\nreleasing more malware updates to make sure that it stays relevant. This is evident in ransomware campaigns as\r\nmalware authors get an extra motivation by gaining huge sums of money in exchange for file recovery. Normally,\r\nransomware only infects document files which is also the case with Buran. However, Zeppelin takes things a step\r\nfurther by targeting not only document related files but also applications and tools installed in the victim’s system\r\n. This extent of damage gives Zeppelin more leverage for the victim to pay the ransom.  With this, delivering more\r\nadvanced detections and solutions that will withstand fast-paced changes of ransomware is needed. Just like G\r\nData’s DeepRay technology that uses artificial intelligence and machine learning to protect its user from such\r\nsophisticated tactics of criminal hackers.\r\nInformation for fellow researchers\r\nG DATA Detections:\r\nBuran: Win32.Trojan-Ransom.Buran.A\r\nZeppelin: Win32.Trojan-Ransom.Zeppelin.A\r\nIOC\r\nBuran:\r\n7f0dcd4b9d8881fd0c42a6d605f843c496b7ed1fc3ae3a29d0bd37e851eaadfb\r\nZeppelin:\r\n1cefe918ae56ebd3c2de309efbdd3a99808c823615a11a58bf144d3d6699f69b\r\nReferences\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 7 of 8\n\n[1] hxxps://www.symantec.com/blogs/expert-perspectives/ransomware-activity-declines-remains-dangerous-threat\r\n[2] hxxps://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/\r\n[3] hxxps://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate\r\nShare Article\r\n Content\r\nAttack Vector\r\nInstallation\r\nSecond Instance\r\nThird instance\r\nInformation for fellow researchers\r\nReferences\r\nSource: https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nhttps://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin"
	],
	"report_names": [
		"35946-burans-transformation-into-zeppelin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3e843e4dbb44bbdcc6619dc21ea843c3edb1ad1.pdf",
		"text": "https://archive.orkl.eu/c3e843e4dbb44bbdcc6619dc21ea843c3edb1ad1.txt",
		"img": "https://archive.orkl.eu/c3e843e4dbb44bbdcc6619dc21ea843c3edb1ad1.jpg"
	}
}