Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns (including using Zeppelin malware), and also that Azov Ransomware Tries to Set Up Cybersecurity Specialists.

The publication Bleeping Computer says that the authors of this decoder were specialists from the consulting information security company Unit221b. Back in 2020, they prepared a report on vulnerabilities in the ransomware, but eventually delayed its publication so that attackers would not know about the possibility of free file decryption.

Unit221b experts decided to try to hack Zeppelin when it was discovered that malware operators were attacking charitable and non-profit organizations and even homeless shelters.

Starting with a 2019 BlackBerry Cylance report, the researchers found that Zeppelin uses an ephemeral RSA-512 key to encrypt an AES key that blocks access to encrypted data. At the same time, the AES key was stored in each encrypted file, that is, cracking the RSA-512 key would allow decrypting the data and not paying a ransom to attackers.

How Zeppelin encryption works

While working on this version, the experts found that the public key remains in the registry of the infected system for about five minutes after data encryption is completed. We managed to extract it by “cutting” it from the file system, Registration.exe memory dumps and directly from NTUSER.Dat in the /User/[user_account]/ directory.

An Obfuscated key

The resulting data was obfuscated using RC4, and to deal with this problem, the experts used the power of 800 CPUs on 20 servers (each with 40 CPUs on board), which eventually cracked the key in six hours. After that, it remained only to extract the AES key from the affected files.

Unit221b founder Lance James told reporters that the company has now decided to go public with the details of the work done, as the number of Zeppelin victims has dropped significantly in recent months. The last major campaign using this ransomware was the attacks by the Vice Society, which abandoned Zeppelin a few months ago.

According to James, the data decryption tool should work even for the latest versions of Zeppelin and will be available to all victims free of charge, upon request.

Emsisoft, who often release their own free decryptors, told reporters that the need for a lot of computing power to recover keys, unfortunately, hinders the creation of a free tool for companies.

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

Unit221b succeeded at hacking Zeppelin after seeing ransomware operators targeting charities, nonprofits and even hospices. Malware analysis from Blackberry Cylance helped the company discover vulnerabilities in the ransomware.

What is Zeppelin ransomware?

Zeppelin is a ransomware gang that started its activity around the spring of 2019, under the name of Vega/VegaLocker. Their malware also featured the name Jamper, Storm and Buran, but some analysts consider it a spin-off rather than a renamed copy. Contrary to a great number of other ransomware groups, they first aimed for ex-USSR countries. Since the beginning of 2022, they drastically changed their looks and opted to avoid Russian-speaking countries. Like most other groups, Zeppelin uses the ransomware-as-a-service model, thus its developers do not take part in distribution. Instead, they offer their “product” to hackers at different Darknet marketplaces, receiving an initial payment and per-ransom contribution. The key way of distribution threat actors chose and still use is malvertising and watering hole attacks.

Aiming generally for organizations, Zeppelin never followed the so-called “blacklist” of possible targets. That list is an agreed selection of sectors that should not be attacked – governmental and non-profit organizations, hospitals, humanitarian orgs and educational infrastructure. The group freely attacked any kind of company, asking for a separate ransom for data decryption and non-publishing of the leaked information. This practice, called “double extortion”, can sometimes increase the ransom amount multiple times.

Zeppelin ransomware cipher hacked by Unit221b

The researchers noticed that Zeppelin uses an ephemeral 512-bit RSA key to encrypt the AES key, which actually ciphers the files. The AES key was stored in the footer of each encrypted file. Hence, if someone could crack the RSA-512 key, they would be able to decrypt the files without paying the attackers.

Specialists also found that the public key remained in the attacked system’s registry for about 5 minutes after the encryption was completed. The key could be extracted in three ways. Those are cutting the registry data from the raw file system, registry.exe memory dump, and directly from the NTUSER.Dat file in the “/User/[username]/” directory. The resulting data was obfuscated using RC4. Once the experts figured out this encryption layer, they had to overcome the last obstacle – the encryption layer using RSA-2048.

To overcome this hurdle, Unit221b used a total of 800 CPUs across 20 servers, each handling small portions of the key. Six hours later, the key was cracked, and analysts succeeded to extract the key from the file footer. Unit221b founder Lance James said in his interview that the company decided to make the details public because Zeppelin ransomware victims have dropped significantly in recent months. Lance said the decryption tool should work even with the latest versions of Zeppelin. It will also be available to all victims who leave a request.

What then?

Zeppelin definitely lost its image, but that won’t likely create many problems for them. Last month, their activity plummet to zero. The latest submissions related to the attack of this group appeared at the end of October. They’ve likely got an ancestor – Vice Society ransomware, that successfully attacks companies almost daily. Overall, that’s not the first time the ransomware cipher was hacked. Multiple vulnerabilities within HiddenTear ransomware allowed the analysts to break the cipher easily. Some of the encryption cases were solved via hacking into the ransomware gang’s infrastructure or capturing the threat actors. But those cases still have a share of statistical errors. Ransomware was and remains one of the most dangerous malware types, which attack may cost not only thousands of dollars but also a reputation.

The post Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years appeared first on Gridinsoft Blog.