Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

Zeppelin Ransomware Proceeds Punctured by Crypto Workaround

Cryptography Errors Exploited by Researchers for Recovery Without Paying a Ransom
Zeppelin Ransomware Proceeds Punctured by Crypto Workaround
Zeppelin ransomware control panel (Source: Cyble)

As the U.S. celebrates Thanksgiving, let's give thanks for this cybercrime karma concerning Zeppelin ransomware: For two years, law enforcement and security experts have been quietly helping victims decrypt their systems without having to pay a ransom.

See Also: 5 Requirements for Modern DLP

So reveal cybersecurity firm Unit 221B's Lance James and Joel Lathrop, who write in a blog post that in December 2019, when reviewing a teardown of Zeppelin published by cybersecurity firm Cyble, "we realized that there were a few flaws within the architecture of Zeppelin that would open an opportunity for recovery."

In the blog post, released to coincide with James' presentation this month at the Black Hat Middle East and Africa conference, they add: "What motivated us the most during the lead-up to our action was the targeting of homeless shelters, nonprofits and charity organizations."

The researchers found that while Zeppelin - aka Buran - used several different types of encryption. But by factoring a RSA-512 public key generated on each infected system, they were able to obtain a master key to decrypt all of the files. In February 2020, Unit 221B shared this information via a "limited public release in order to support law enforcement and protect the victims of these attacks."

Unit 221B also "built a 'Live CD' version of Linux that victims could run on infected systems to extract that RSA-512 key," reports security blogger Brian Krebs. "From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys."

While this service was provided for free to victims, as with so many aspects of recovering from ransomware, it's not without cost, which in this case involves having to factor the RSA-512 public key on each compromised system. "Factoring is never free," James tells me. But the company is set Monday to "release the code, the Live CD and the scripts to do it yourself with Digital Ocean," although victims might also pick a different approach, such as using Amazon Web Services GPU instances.

"We believe the cost to a user will be around $250 to crack a key, based on Digital Ocean's current pricing," James says. "Our scripts will automatically shut down the machines correctly to save as much cost as possible. Factoring requires CPU time from somewhere (or GPUs) and that is usually some form of cost. But the cost is pretty minimal, compared to paying the ransom."

Initial Targets: Tech and Healthcare

Zeppelin dates from November 2019, when the Russian-language ransomware-as-a-service operation debuted, sporting a version of Delphi ransomware, which was based on the earlier Vega - aka VegaLocker - crypto-locking malware, as the BlackBerry Cylance Threat Research Team detailed at the time. Unusually, Vega was designed for shotgun-style - quantity over quality - attacks against Russian targets.

Shortly thereafter, Zeppelin looked westward. "The first samples of Zeppelin … were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S.," BlackBerry Cylance researchers reported. "In a stark opposition to the Vega campaign, all Zeppelin binaries … are designed to quit if running on machines that are based in Russia and some other ex-USSR countries" that are part of the Commonwealth of Independent States. Experts said the malware often spread via phishing attacks and remote desktop protocol compromise.

Zeppelin ransom note (Source: Unit 221B)

Following its 2019 debut, Zeppelin temporarily went quiet, until August 2020 when a new version appeared.

"From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries," the U.S. Cybersecurity Infrastructure and Security Agency warned in an August alert. "Zeppelin actors have been known to request ransom payments in bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars."

The Vice Society ransomware group appears to have been among the users of Zeppelin (see: Vice Society Wielding Multiple Strains of Ransomware).

Authorities say Zeppelin sometimes gets deployed multiple times inside a victim's environment. "The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys," according to CISA's alert.

Give Thanks to Errors, Retirement, Arrests

The Zeppelin workaround discovered by Unit 221B, which it says helped at least two dozen victims, isn't the first time victims have been able to decrypt crypto-locked systems without having to pay a ransom. Indeed, the same has also been possible for the likes of GandCrab, Ziggy, DarkSide, BlackMatter and many more.

This situation can come about in numerous ways, including:

  • Errors: Cryptography is tough to implement correctly, as seen in numerous legitimate products, and ransomware-building developers face similar challenges.
  • Police: If law enforcement penetrates criminals' infrastructure - as the FBI did with REvil/Sodinokibi last year - or arrests ringleaders, they sometimes recover master keys that can be used by security firms to build free decryptors. Many of these are cataloged and available via the No More Ransom project.
  • Retirement: Some ransomware gangs - including Avaddon, Ziggy and others - claim they're calling it quits, and release master keys for all victims, facilitating the development of a decryptor (see: 'Fear' Likely Drove Avaddon's Exit From Ransomware Fray).

Spreading the Word

Decrypting without having to pay a ransom doesn't stop organizations from falling victim to ransomware, then having to undertake what's typically a costly and lengthy incident response engagement to clean up the mess. That's a reminder that the best defense against ransomware remains having top-notch defenses and well-practiced plans in place to block attacks outright and to minimize the damage if one does get through.

Of course, the availability of a free ransomware decryptor should always be celebrated.

But circulating a workaround on the sly means some victims might not know it exists. Cue this Tuesday comment at the bottom of Unit 221B's blog post: "We are a hospital here. We were attacked by this ransomware virus three years ago. We have not decrypted it so far. Can you provide a decryption tool?"

In response to the post, Unit 221B's James tells me: "We are responding to them and will help them."

The episode highlights this challenge: Publicize a ransomware workaround, and the crypto-locking malware developers involved will likely fix it quickly. Don't publicize it, and some victims won't benefit.

Cue this mandate for all ransomware victims: Always reach out to ransomware response firms - an initial consultation should always be free - and preferably law enforcement too, to see what workarounds might be available. Because for all of the reasons detailed above, not all ransomware "get out of jail free" cards will be public knowledge. Help - provided on the QT - could be just a phone call away (see: Memo to Ransomware Victims: Seeking Help May Save You Money).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.