Hope for victims: Zeppelin ransomware decryptor

20 November 2022
| No comments
Hope for victims: Zeppelin ransomware decryptor

Share post

The Zeppelin ransomware left many unpaid victims with encrypted data. Now there is hope, because Unit 221B has discovered a method to crack the key. It's all a bit tedious, but it's worth it.    

As recently as August of this year the American CISA (Cybersecurity and Infrastructure Security Agency) issued a warning about Zeppelin ransomware. It was explained that the Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and operates as ransomware as a service (RaaS).

Zeppelin Ransomware as a Service (RaaS)

From 2019 until at least June 2022, actors used this malware to target a wide range of businesses and organizations with critical infrastructure, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to demand ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.

FBI tells victims not to pay

According to a report by Brian Krebs a victim was about to pay when they received a tip from the FBI that a company had found a way to decrypt the data. Unit 221B researchers have found and exploited a vulnerability in the Zeppelin ransomware. Although Zeppelin uses three different ways to encrypt files, the attack always begins with a short-lived public RSA-512 key that initiates everything.

The researchers' trick is to recover the RSA-512 key from the registry, crack it and use it to obtain the 256-bit AES key that ultimately encrypted the files. Unit 221B eventually built a Linux live CD that victims could run on infected systems to extract the RSA-512 key.

800 CPUs crack the RSA key

Then the key was loaded into a cluster of 800 CPUs donated by hosting giant Digital Ocean. The cluster then cracked the RSA key. The company also used the same donated infrastructure to help victims decrypt their data with the recovered keys.

A technical description of how Unit 211B cracks the key can be found on their blog.

More at Blog.Unit221B.com

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

PR News
, , , , ,