Researchers quietly cracked the keys to Zeppelin ransomware
< /p>
Peter is an IT manager for a technology manufacturer that was hit by a strain of Russian ransomware called "Zeppelin" in May 2020. He had been in the role for less than six months, and due to the way his predecessor designed things, the company's data backups were also encrypted by Zeppelin. After two weeks of blocking their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," said the agent. "We found someone who can crack the encryption."
Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a New Jersey cybersecurity consulting firm called Unit 221B, specifically its founder, Lance James . Zeppelin burst onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute force decryption keys in a matter of seconds. hours, using nearly 100 cloud computing servers. /p>
In an interview with KrebsOnSecurity, James said Unit 221B was suspicious of the publicity of its ability to crack Zeppelin ransomware keys, as it did not want to tip the hand of Zeppelin's creators, who were likely to change their file encryption approach if they detected it was somehow circumvented.
It's not an unnecessary concern. There are plenty of examples of ransomware groups doing just that after security researchers bragged about finding vulnerabilities in their ransomware code.
"As soon as you announce that you have a decryptor for some ransomware, they change the code," James said.
But he said the Zeppelin Group appears to have phased out its ransomware code over the past year, possibly because credentials from FBI Unit 221B allowed it to quietly help nearly two dozen victim organizations to recover without paying their extortionists.
In a blog post published today to coincide with a Black Hat Dubai conference on their findings, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofits and charities.
“What motivated us the most during the preparation of our action was the targeting of homeless shelters, non-profit organizations and charities,” the two wrote. “These senseless acts of targeting those unable to respond are the motivation for this research, analysis, tools and blog post. A general rule of Unit 221B around our offices is: don't [REDACTED] with the homeless or the sick! It'll just trigger our ADHD and we'll go into that hyper-focus mode that's good if you're a good guy, but not so good if you're an asshole."
The researchers said their break came when they realized that if Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or calculating just one of between them: an ephemeral RSA-512 public key that is randomly generated on each machine it infects.
"If we can retrieve the RSA-512 public key from the registry, we can decrypt it and get the 256-bit AES key that encrypts the files!" they wrote. "The challenge was that they delete the [public key] once the files are fully encrypted. The memory scan gave us about 5 minutes after the files were encrypted to recover that public key."
Unit 221B eventually built a "Live CD" version of Linux that victims could run on infected systems to extract this RSA-512 key. From there, they would load the keys into a cluster of 800 processors donated by hosting giant Digital Ocean which would then start cracking them. The company also used this same offered infrastructure to help victims decrypt their data using the recovered keys.
A typical ransomware note Zeppelin.
Jon is another grateful Zeppelin ransomware victim who was helped by Unit 221B...
< /p>
Peter is an IT manager for a technology manufacturer that was hit by a strain of Russian ransomware called "Zeppelin" in May 2020. He had been in the role for less than six months, and due to the way his predecessor designed things, the company's data backups were also encrypted by Zeppelin. After two weeks of blocking their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," said the agent. "We found someone who can crack the encryption."
Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a New Jersey cybersecurity consulting firm called Unit 221B, specifically its founder, Lance James . Zeppelin burst onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute force decryption keys in a matter of seconds. hours, using nearly 100 cloud computing servers. /p>
In an interview with KrebsOnSecurity, James said Unit 221B was suspicious of the publicity of its ability to crack Zeppelin ransomware keys, as it did not want to tip the hand of Zeppelin's creators, who were likely to change their file encryption approach if they detected it was somehow circumvented.
It's not an unnecessary concern. There are plenty of examples of ransomware groups doing just that after security researchers bragged about finding vulnerabilities in their ransomware code.
"As soon as you announce that you have a decryptor for some ransomware, they change the code," James said.
But he said the Zeppelin Group appears to have phased out its ransomware code over the past year, possibly because credentials from FBI Unit 221B allowed it to quietly help nearly two dozen victim organizations to recover without paying their extortionists.
In a blog post published today to coincide with a Black Hat Dubai conference on their findings, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofits and charities.
“What motivated us the most during the preparation of our action was the targeting of homeless shelters, non-profit organizations and charities,” the two wrote. “These senseless acts of targeting those unable to respond are the motivation for this research, analysis, tools and blog post. A general rule of Unit 221B around our offices is: don't [REDACTED] with the homeless or the sick! It'll just trigger our ADHD and we'll go into that hyper-focus mode that's good if you're a good guy, but not so good if you're an asshole."
The researchers said their break came when they realized that if Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or calculating just one of between them: an ephemeral RSA-512 public key that is randomly generated on each machine it infects.
"If we can retrieve the RSA-512 public key from the registry, we can decrypt it and get the 256-bit AES key that encrypts the files!" they wrote. "The challenge was that they delete the [public key] once the files are fully encrypted. The memory scan gave us about 5 minutes after the files were encrypted to recover that public key."
Unit 221B eventually built a "Live CD" version of Linux that victims could run on infected systems to extract this RSA-512 key. From there, they would load the keys into a cluster of 800 processors donated by hosting giant Digital Ocean which would then start cracking them. The company also used this same offered infrastructure to help victims decrypt their data using the recovered keys.
A typical ransomware note Zeppelin.
Jon is another grateful Zeppelin ransomware victim who was helped by Unit 221B...
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
