Security researchers found vulnerabilities in the encryption mechanism of the Zeppelin ransomware and exploited them to create a working decryptor they used since 2020 to help victim companies recover files without paying the attackers.
The developer of the decryption tool is Unit221b, a cybersecurity consulting company based in New Jersey, who had a technical report ready in February 2020 but delayed its publishing to keep the threat actor in the dark about the vulnerabilities in their file-encrypting malware.
Cracking Zeppelin
Unit221b was motivated to crack Zeppelin after seeing that the ransomware operators hit charity organizations, nonprofits, and even homeless shelters.
The cybersecurity consulting firm spotted potentially exploitable flaws in Zeppelin after reading an analysis of the malware from Blackberry Cylance in December 2019.
The researchers noticed that Zeppelin used an ephemeral RSA-512 key to encrypt the AES key that locked access to encrypted data.
The AES key was stored in the footer of each encrypted file, so if the RSA-512 key was cracked, the files could be decrypted without paying the attacker.
Unit221b found that this public key remained in the registry of the infected system for roughly five minutes after the data encryption completed.
Retrieving the key was possible by doing registry carving on the raw file system, the registry.exe memory dumps, and directly on the NTUSER.Dat in the “/User/[user_account]/” directory.
The resulting data is obfuscated with RC4, and after lifting that layer, Unit221b was left with one layer of RSA-2048 encryption.
To overcome this final obstacle, Unit221b used a total of 800 central processing units (CPUs) in 20 servers, each with 40 CPUs. that factored smaller parts of the key.
After six hours, the key had been cracked, and the analysts could work their way back to retrieve the AES key from the file footer.
Decryptor availability
Unit221b’s founder Lance James told BleepingComputer they decided to make all details public due to the Zeppelin ransomware victim influx dropping significantly in the recent months.
James said the decryption tool should work even for recent Zeppelin versions and is available to victims upon request.
Emsisoft’s threat analyst Brett Callow confirmed the drop in Zeppelin attacks, pointing out that the last major operation to use the ransomware strain was Vice Society, which abandoned it months ago.
Callow also noted that data recovery experts have been exploiting Zeppelin’s encryption vulnerability since mid-2020.
As for the possibility of Emsisoft releasing a public decryptor for the strain, the analyst told us the high cost of computing power to recover the keys does not make this a good candidate for a free tool that a company could use.
Zeppelin background
Zeppelin (aka ‘Buran’) is a Delphi-based ransomware strain of Russian origin that emerged in the wild in late 2019 as a semi-private project operating in small-circle partnerships.
The ransomware project extorted victims for an average of $50,000 and featured a robust AES-256-CBC encryption.
In 2021, the operation launched a heavily revamped version following a period of hiatus, offering several perks to its long-term partners.
More recently, in August 2022, the FBI posted an alert about Zeppelin ransomware, warning that its operators were now following the tactic of performing multiple encryptions on the breached systems.
This strange tactic created multiple victim IDs and files with multiple encryption layers, requiring several decryption keys and a lot of trial and error to restore the data even after paying the ransom.
