A Zeppelin is a simple piece of code distributed as Ransomware as a Serice (RAAS). It’s offered to distributors in exchange for a revenue share. Like other ransomware attacks, it is designed to lure users into enabling Visual Basic Application (VBA) macros that begin the infection process. Zeppelin ransomware attacks start as phishing emails with Microsoft Word attachments labeled as medical invoices that display a blurred image with instructions on how to view the content. If followed, it allows the hidden malicious macros to infect the computer. Like other Russian-based ransomware, Zeppelin ransomware won’t encrypt files if the infected system is located in Russia or the former Soviet states of Belarus, Kazakhstan, and Ukraine—and is designed to quit if found running on machines located there.