Updated on 2022-11-24: Zeppelin ransomware flaw exploited to help victims for years
Unit 221B, a New Jersey cyber security firm was able to recover Zeppelin encryption keys by taking advantage of a flaw in the three-step encryption system Zeppelin used. In one of the encryption steps the ransomware temporarily stored a relatively weak 512-bit RSA key in the Windows registry and by recovering the deleted key and cracking it Unit 221B was able to extract per-file decryption keys. This process was used to help nearly two dozen victims recover from attacks without paying ransoms. Unit 221B revealed the flaw recently as the ransomware is no longer in use. Read more:
- Breaking 512-bit RSA with Amazon EC2 is a cinch. So why all the weak keys?
- 0XDEAD ZEPPELIN
- Researchers Quietly Cracked Zeppelin Ransomware Keys
Updated on 2022-11-20: Researchers quietly cracked Zeppelin ransomware keys
@briankrebs with a story about a rare early win tackling the Zeppelin ransomware: researchers at Unit 221B discovered a vulnerability that ended up helping close to two-dozen victims recover their files without paying the ransom. The researchers kept their discovery quiet so as to not alert the ransomware actors, which was known for targeting nonprofits and charity organizations. The ransomware gang “appears to have stopped spreading their ransomware code gradually over the past year,” possibly as a result of its failed encryption. Read More:
Not long after the Zeppelin ransomware strain emerged in 2019, security firm Unit 221B found flaws in the malware that helped ~ two dozen victims recover a decryption key without paying the extortionists. They're now talking publicly about their research. https://t.co/HDekjXM9jv
— briankrebs (@briankrebs) November 18, 2022
Updated on 2022-11-18: Zeppelin Ransomware Decryptor
A researcher from Unit 221B, a New Jersey cybersecurity consulting, firm found vulnerabilities in the Zeppelin ransomware’s encryption routines and was able to brute force decryption keys. Zeppelin first appeared in late 2019. The researchers say they began investigating Zeppelin after attackers started using it to target non-profits and charities. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint alert about Zeppelin in August 2022.
Note
- The good news is that cryptography is hard for the bad guys to do well. The bad news is that cryptography is also hard for the good guys to do well. If you are building or buying apps that use cryptography, make sure the code is tested by skilled personnel. Side note: “Zeppelin Ransomware” would be a good name for a band…
- Encryption is hard, even without quantum computing. In this case the researchers discovered two flawed encryption techniques, then were able to leverage twenty 40-CPU servers to factor a 520-bit RSA key in a few hours, from there they had the two primes (p,q) used to compute the public key (n) which in turn allowed them to compute the private key (d). Yes, this makes my head hurt too – look when implementing cryptography, make sure that it’s done properly, ideally let someone else create and certify the implementation before you use it. If you really want to roll your own encryption, read that blog, and if you’re still determined to do so, make sure that you have it authoritatively reviewed for deficiencies.
- While finding a vulnerability in the encryption routine worked this time; the best defense is still patching, configuration management, and limiting accounts with elevated privileges.
- My regular reminder that the Europol No More Ransom website www.nomoreransom.org has a repository for known decryption keys
Read more in
- 0XDEAD ZEPPELIN
- Alert (AA22-223A) #StopRansomware: Zeppelin Ransomware (August 11, 2022)
- Researchers Quietly Cracked Zeppelin Ransomware Keys
- Researchers secretly helped decrypt Zeppelin ransomware for 2 years
Overview: Zeppelin ransomware decrypter
Cybersecurity firm Unit221b said it found a design flaw in the encryption scheme of the Zeppelin ransomware in February 2020, and for the past two years, the company has been using this vulnerability to allow victims to recover their files without paying the attackers. Unit221b disclosed their findings at the Black Hat security conference held last week in Riyadh, Saudi Arabia, after noticing that attacks with the Zeppelin ransomware slowed down to a crawl this year, suggesting that the gang’s had lost faith in their encrypter. Read more:
