Peter is an IT supervisor for a know-how producer that bought hit with a Russian ransomware pressure known as “Zeppelin” in May 2020. He’d been on the job lower than six months, and due to the best way his predecessor architected issues, the corporate’s knowledge backups additionally have been encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses have been able to capitulate and pay the ransom demand. Then got here the unlikely name from an FBI agent. “Don’t pay,” the agent stated. “We’ve found someone who can crack the encryption.”
Peter, who spoke candidly concerning the assault on situation of anonymity, stated the FBI advised him to contact a cybersecurity consulting agency in New Jersey known as Unit 221B, and particularly its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it surely wasn’t lengthy earlier than James found a number of vulnerabilities within the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, utilizing practically 100 cloud laptop servers.
In an interview with KrebsOnSecurity, James stated Unit 221B was cautious of promoting its capacity to crack Zeppelin ransomware keys as a result of it didn’t need to tip its hand to Zeppelin’s creators, who have been more likely to modify their file encryption strategy in the event that they detected it was in some way being bypassed.
This just isn’t an idle concern. There are a number of examples of ransomware teams doing simply that after safety researchers crowed about discovering vulnerabilities of their ransomware code.
“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James stated.
But he stated the Zeppelin group seems to have stopped spreading their ransomware code progressively over the previous yr, probably as a result of Unit 221B’s referrals from the FBI allow them to quietly assist practically two dozen sufferer organizations recuperate with out paying their extortionists.
In a weblog put up revealed in the present day to coincide with a Black Hat Dubai speak on their discoveries, James and co-author Joel Lathrop stated they have been motivated to crack Zeppelin after the ransomware gang began attacking nonprofit and charity organizations.
“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the 2 wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”
The researchers stated their break got here once they understood that whereas Zeppelin used three several types of encryption keys to encrypt recordsdata, they might undo the entire scheme by factoring or computing simply considered one of them: An ephemeral RSA-512 public key that’s randomly generated on every machine it infects.
“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”
Unit 221B in the end constructed a “Live CD” model of Linux that victims may run on contaminated methods to extract that RSA-512 key. From there, they’d load the keys right into a cluster of 800 CPUs donated by internet hosting big Digital Ocean that may then begin cracking them. The firm additionally used that very same donated infrastructure to assist victims decrypt their knowledge utilizing the recovered keys.
A typical Zeppelin ransomware notice.
Jon is one other grateful Zeppelin ransomware sufferer who was aided by Unit 221B’s decryption efforts. Like Peter, Jon requested that his final title and that of his employer be omitted from the story, however he’s answerable for IT for a mid-sized managed service supplier that bought hit with Zeppelin in July 2020.
The attackers that savaged Jon’s firm managed to phish credentials and a multi-factor authentication token for some instruments the corporate used to assist prospects, and in brief order they’d seized management over the servers and backups for a healthcare supplier buyer.
Jon stated his firm was reluctant to pay a ransom partly as a result of it wasn’t clear from the hackers’ calls for whether or not the ransom quantity they demanded would offer a key to unlock all methods, and that it might accomplish that safely.
“They want you to unlock your data with their software, but you can’t trust that,” Jon stated. “You want to use your own software or someone else who’s trusted to do it.”
In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”
The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”
The FBI and CISA say the Zeppelin actors acquire entry to sufferer networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to 2 weeks mapping or enumerating the sufferer community to determine knowledge enclaves, together with cloud storage and community backups, the alert notes.
Jon stated he felt so fortunate after connecting with James and listening to about their decryption work, that he toyed with the thought of shopping for a lottery ticket that day.
“This just doesn’t usually happen,” Jon stated. “It’s 100 percent like winning the lottery.”
By the time Jon’s firm bought round to decrypting their knowledge, they have been compelled by regulators to show that no affected person knowledge had been exfiltrated from their methods. All advised, it took his employer two months to completely recuperate from the assault.
“I definitely feel like I was ill-prepared for this attack,” Jon stated. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”
A extra technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is on the market right here.