Zeppelin Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 22 Nov 2022 08:55:01 +0000 en-US hourly 1 https://wordpress.org/?v=63545 200474804 Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years https://gridinsoft.com/blogs/zeppelin-ransomware-victims/ https://gridinsoft.com/blogs/zeppelin-ransomware-victims/#respond Tue, 22 Nov 2022 08:55:01 +0000 https://gridinsoft.com/blogs/?p=12137 Since 2020, some information security specialists have helped victims, as individuals and companies affected by the Zeppelin ransomware. The fact is that a number of vulnerabilities were found in the encryptor, which were used to create a working decryptor. Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several… Continue reading Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

]]>
Since 2020, some information security specialists have helped victims, as individuals and companies affected by the Zeppelin ransomware. The fact is that a number of vulnerabilities were found in the encryptor, which were used to create a working decryptor.

Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns (including using Zeppelin malware), and also that Azov Ransomware Tries to Set Up Cybersecurity Specialists.

The publication Bleeping Computer says that the authors of this decoder were specialists from the consulting information security company Unit221b. Back in 2020, they prepared a report on vulnerabilities in the ransomware, but eventually delayed its publication so that attackers would not know about the possibility of free file decryption.

Unit221b experts decided to try to hack Zeppelin when it was discovered that malware operators were attacking charitable and non-profit organizations and even homeless shelters.

Starting with a 2019 BlackBerry Cylance report, the researchers found that Zeppelin uses an ephemeral RSA-512 key to encrypt an AES key that blocks access to encrypted data. At the same time, the AES key was stored in each encrypted file, that is, cracking the RSA-512 key would allow decrypting the data and not paying a ransom to attackers.

Zeppelin ransomware victims
How Zeppelin encryption works

While working on this version, the experts found that the public key remains in the registry of the infected system for about five minutes after data encryption is completed. We managed to extract it by “cutting” it from the file system, Registration.exe memory dumps and directly from NTUSER.Dat in the /User/[user_account]/ directory.

Zeppelin ransomware victims
An Obfuscated key

The resulting data was obfuscated using RC4, and to deal with this problem, the experts used the power of 800 CPUs on 20 servers (each with 40 CPUs on board), which eventually cracked the key in six hours. After that, it remained only to extract the AES key from the affected files.

Unit221b founder Lance James told reporters that the company has now decided to go public with the details of the work done, as the number of Zeppelin victims has dropped significantly in recent months. The last major campaign using this ransomware was the attacks by the Vice Society, which abandoned Zeppelin a few months ago.

According to James, the data decryption tool should work even for the latest versions of Zeppelin and will be available to all victims free of charge, upon request.

Emsisoft, who often release their own free decryptors, told reporters that the need for a lot of computing power to recover keys, unfortunately, hinders the creation of a free tool for companies.

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zeppelin-ransomware-victims/feed/ 0 12137
Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years https://gridinsoft.com/blogs/zeppelin-ransomware-cipher-hacked-unit221b/ https://gridinsoft.com/blogs/zeppelin-ransomware-cipher-hacked-unit221b/#respond Mon, 21 Nov 2022 19:51:11 +0000 https://gridinsoft.com/blogs/?p=12128 Security professionals at Unit221b found vulnerabilities in the Zeppelin ransomware encryption mechanism. Experts managed to use them to create a working decryptor that they have been using since 2020 to help victim companies recover files without paying the attackers a penny. The work was carried out covertly so hackers would not find out about vulnerabilities… Continue reading Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years

The post Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years appeared first on Gridinsoft Blog.

]]>
Security professionals at Unit221b found vulnerabilities in the Zeppelin ransomware encryption mechanism. Experts managed to use them to create a working decryptor that they have been using since 2020 to help victim companies recover files without paying the attackers a penny. The work was carried out covertly so hackers would not find out about vulnerabilities in their ransomware.

Unit221b succeeded at hacking Zeppelin after seeing ransomware operators targeting charities, nonprofits and even hospices. Malware analysis from Blackberry Cylance helped the company discover vulnerabilities in the ransomware.

What is Zeppelin ransomware?

Zeppelin is a ransomware gang that started its activity around the spring of 2019, under the name of Vega/VegaLocker. Their malware also featured the name Jamper, Storm and Buran, but some analysts consider it a spin-off rather than a renamed copy. Contrary to a great number of other ransomware groups, they first aimed for ex-USSR countries. Since the beginning of 2022, they drastically changed their looks and opted to avoid Russian-speaking countries. Like most other groups, Zeppelin uses the ransomware-as-a-service model, thus its developers do not take part in distribution. Instead, they offer their “product” to hackers at different Darknet marketplaces, receiving an initial payment and per-ransom contribution. The key way of distribution threat actors chose and still use is malvertising and watering hole attacks.

Zeppelin ransomware note
Zeppelin ransom note, that appears after the encryption is over

Aiming generally for organizations, Zeppelin never followed the so-called “blacklist” of possible targets. That list is an agreed selection of sectors that should not be attacked – governmental and non-profit organizations, hospitals, humanitarian orgs and educational infrastructure. The group freely attacked any kind of company, asking for a separate ransom for data decryption and non-publishing of the leaked information. This practice, called “double extortion”, can sometimes increase the ransom amount multiple times.

Zeppelin ransomware cipher hacked by Unit221b

The researchers noticed that Zeppelin uses an ephemeral 512-bit RSA key to encrypt the AES key, which actually ciphers the files. The AES key was stored in the footer of each encrypted file. Hence, if someone could crack the RSA-512 key, they would be able to decrypt the files without paying the attackers.

Zeppelin ransomware encryption mechanism
Zeppelin encryption mechanism and its flaws

Specialists also found that the public key remained in the attacked system’s registry for about 5 minutes after the encryption was completed. The key could be extracted in three ways. Those are cutting the registry data from the raw file system, registry.exe memory dump, and directly from the NTUSER.Dat file in the “/User/[username]/” directory. The resulting data was obfuscated using RC4. Once the experts figured out this encryption layer, they had to overcome the last obstacle – the encryption layer using RSA-2048.

Obfuscated key
Obfuscated decryption key as a plain text

To overcome this hurdle, Unit221b used a total of 800 CPUs across 20 servers, each handling small portions of the key. Six hours later, the key was cracked, and analysts succeeded to extract the key from the file footer. Unit221b founder Lance James said in his interview that the company decided to make the details public because Zeppelin ransomware victims have dropped significantly in recent months. Lance said the decryption tool should work even with the latest versions of Zeppelin. It will also be available to all victims who leave a request.

What then?

Zeppelin definitely lost its image, but that won’t likely create many problems for them. Last month, their activity plummet to zero. The latest submissions related to the attack of this group appeared at the end of October. They’ve likely got an ancestor – Vice Society ransomware, that successfully attacks companies almost daily. Overall, that’s not the first time the ransomware cipher was hacked. Multiple vulnerabilities within HiddenTear ransomware allowed the analysts to break the cipher easily. Some of the encryption cases were solved via hacking into the ransomware gang’s infrastructure or capturing the threat actors. But those cases still have a share of statistical errors. Ransomware was and remains one of the most dangerous malware types, which attack may cost not only thousands of dollars but also a reputation.

The post Unit221b Secretly Helped Victims of Zeppelin Ransomware for 2 Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zeppelin-ransomware-cipher-hacked-unit221b/feed/ 0 12128