Skip to Content

Zeppelin ransomware decrypter: Zeppelin ransomware flaw exploited to help victims for years

Updated on 2022-11-24: Zeppelin ransomware flaw exploited to help victims for years

Unit 221B, a New Jersey cyber security firm was able to recover Zeppelin encryption keys by taking advantage of a flaw in the three-step encryption system Zeppelin used. In one of the encryption steps the ransomware temporarily stored a relatively weak 512-bit RSA key in the Windows registry and by recovering the deleted key and cracking it Unit 221B was able to extract per-file decryption keys. This process was used to help nearly two dozen victims recover from attacks without paying ransoms. Unit 221B revealed the flaw recently as the ransomware is no longer in use. Read more:

Updated on 2022-11-20: Researchers quietly cracked Zeppelin ransomware keys

@briankrebs with a story about a rare early win tackling the Zeppelin ransomware: researchers at Unit 221B discovered a vulnerability that ended up helping close to two-dozen victims recover their files without paying the ransom. The researchers kept their discovery quiet so as to not alert the ransomware actors, which was known for targeting nonprofits and charity organizations. The ransomware gang “appears to have stopped spreading their ransomware code gradually over the past year,” possibly as a result of its failed encryption. Read More:

Updated on 2022-11-18: Zeppelin Ransomware Decryptor

A researcher from Unit 221B, a New Jersey cybersecurity consulting, firm found vulnerabilities in the Zeppelin ransomware’s encryption routines and was able to brute force decryption keys. Zeppelin first appeared in late 2019. The researchers say they began investigating Zeppelin after attackers started using it to target non-profits and charities. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint alert about Zeppelin in August 2022.


  • The good news is that cryptography is hard for the bad guys to do well. The bad news is that cryptography is also hard for the good guys to do well. If you are building or buying apps that use cryptography, make sure the code is tested by skilled personnel. Side note: “Zeppelin Ransomware” would be a good name for a band…
  • Encryption is hard, even without quantum computing. In this case the researchers discovered two flawed encryption techniques, then were able to leverage twenty 40-CPU servers to factor a 520-bit RSA key in a few hours, from there they had the two primes (p,q) used to compute the public key (n) which in turn allowed them to compute the private key (d). Yes, this makes my head hurt too – look when implementing cryptography, make sure that it’s done properly, ideally let someone else create and certify the implementation before you use it. If you really want to roll your own encryption, read that blog, and if you’re still determined to do so, make sure that you have it authoritatively reviewed for deficiencies.
  • While finding a vulnerability in the encryption routine worked this time; the best defense is still patching, configuration management, and limiting accounts with elevated privileges.
  • My regular reminder that the Europol No More Ransom website has a repository for known decryption keys


Overview: Zeppelin ransomware decrypter

Cybersecurity firm Unit221b said it found a design flaw in the encryption scheme of the Zeppelin ransomware in February 2020, and for the past two years, the company has been using this vulnerability to allow victims to recover their files without paying the attackers. Unit221b disclosed their findings at the Black Hat security conference held last week in Riyadh, Saudi Arabia, after noticing that attacks with the Zeppelin ransomware slowed down to a crawl this year, suggesting that the gang’s had lost faith in their encrypter. Read more:

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.