The Zeppelin ransomware left many unpaid victims with encrypted data. Now there is hope, because Unit 221B has discovered a method to crack the key. It's all a bit tedious, but it's worth it.
As recently as August of this year the American CISA (Cybersecurity and Infrastructure Security Agency) issued a warning about Zeppelin ransomware. It was explained that the Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and operates as ransomware as a service (RaaS).
Zeppelin Ransomware as a Service (RaaS)
From 2019 until at least June 2022, actors used this malware to target a wide range of businesses and organizations with critical infrastructure, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to demand ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
FBI tells victims not to pay
According to a report by Brian Krebs a victim was about to pay when they received a tip from the FBI that a company had found a way to decrypt the data. Unit 221B researchers have found and exploited a vulnerability in the Zeppelin ransomware. Although Zeppelin uses three different ways to encrypt files, the attack always begins with a short-lived public RSA-512 key that initiates everything.
The researchers' trick is to recover the RSA-512 key from the registry, crack it and use it to obtain the 256-bit AES key that ultimately encrypted the files. Unit 221B eventually built a Linux live CD that victims could run on infected systems to extract the RSA-512 key.
800 CPUs crack the RSA key
Then the key was loaded into a cluster of 800 CPUs donated by hosting giant Digital Ocean. The cluster then cracked the RSA key. The company also used the same donated infrastructure to help victims decrypt their data with the recovered keys.
A technical description of how Unit 211B cracks the key can be found on their blog.
More at Blog.Unit221B.com