Researchers secretly helped decrypt Zeppelin ransomware for 2 years

Teilen:

Security researchers found vulnerabilities in the encryption mechanism of the Zeppelin ransomware and exploited them to create a working decryptor they used since 2020 to help victim companies recover files without paying the attackers.

The developer of the decryption tool is Unit221b, a cybersecurity consulting company based in New Jersey, who had a technical report ready in February 2020 but delayed its publishing to keep the threat actor in the dark about the vulnerabilities in their file-encrypting malware.

Cracking Zeppelin

Unit221b was motivated to crack Zeppelin after seeing that the ransomware operators hit charity organizations, nonprofits, and even homeless shelters.

 

The cybersecurity consulting firm spotted potentially exploitable flaws in Zeppelin after reading an analysis of the malware from Blackberry Cylance in December 2019.

The researchers noticed that Zeppelin used an ephemeral RSA-512 key to encrypt the AES key that locked access to encrypted data.

The AES key was stored in the footer of each encrypted file, so if the RSA-512 key was cracked, the files could be decrypted without paying the attacker.

Bild15 1

Zeppelin ransomware encryption keys logic (Unit221b)

Unit221b found that this public key remained in the registry of the infected system for roughly five minutes after the data encryption completed.

Retrieving the key was possible by doing registry carving on the raw file system, the registry.exe memory dumps, and directly on the NTUSER.Dat in the “/User/[user_account]/” directory.

The resulting data is obfuscated with RC4, and after lifting that layer, Unit221b was left with one layer of RSA-2048 encryption.

Bild16

Retrieved public key in obfuscated form (Unit221b)

To overcome this final obstacle, Unit221b used a total of 800 central processing units (CPUs) in 20 servers, each with 40 CPUs. that factored smaller parts of the key.

After six hours, the key had been cracked, and the analysts could work their way back to retrieve the AES key from the file footer.

Decryptor availability

Unit221b’s founder Lance James told BleepingComputer they decided to make all details public due to the Zeppelin ransomware victim influx dropping significantly in the recent months.

James said the decryption tool should work even for recent Zeppelin versions and is available to victims upon request.

Emsisoft’s threat analyst Brett Callow confirmed the drop in Zeppelin attacks, pointing out that the last major operation to use the ransomware strain was Vice Society, which abandoned it months ago.

Callow also noted that data recovery experts have been exploiting Zeppelin’s encryption vulnerability since mid-2020.

As for the possibility of Emsisoft releasing a public decryptor for the strain, the analyst told us the high cost of computing power to recover the keys does not make this a good candidate for a free tool that a company could use.

Zeppelin background

Zeppelin (aka ‘Buran’) is a Delphi-based ransomware strain of Russian origin that emerged in the wild in late 2019 as a semi-private project operating in small-circle partnerships.

The ransomware project extorted victims for an average of $50,000 and featured a robust AES-256-CBC encryption.

In 2021, the operation launched a heavily revamped version following a period of hiatus, offering several perks to its long-term partners.

More recently, in August 2022, the FBI posted an alert about Zeppelin ransomware, warning that its operators were now following the tactic of performing multiple encryptions on the breached systems.

This strange tactic created multiple victim IDs and files with multiple encryption layers, requiring several decryption keys and a lot of trial and error to restore the data even after paying the ransom.

https://www.bleepingcomputer.com/news/security/researchers-secretly-helped-decrypt-zeppelin-ransomware-for-2-years/

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
1:30 pm, Juli 11, 2025
Wetter-Symbol 30°C
L: 28° | H: 32°
wenige Wolken
Luftfeuchtigkeit: 41 %
Druck: 1020 mb
Wind: 6 mph NNE
Windböe: 9 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 13%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
28° | 32°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
30° | 31°°C 0 mm 0% 5 mph 37 % 1019 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
28° | 28°°C 0 mm 0% 5 mph 32 % 1018 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
Wetter-Symbol
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Tomorrow 1:00 pm
Wetter-Symbol
28° | 28°°C 0 mm 0% 7 mph 30 % 1015 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€100,979.92
6.47%
Ethereum(ETH)
€2,555.34
7.74%
Fesseln(USDT)
€0.86
-0.01%
XRP(XRP)
€2.26
7.92%
Solana(SOL)
€140.32
4.29%
USDC(USDC)
€0.86
-0.01%
Dogecoin(DOGE)
€0.170457
10.61%
Shiba Inu(SHIB)
€0.000011
8.20%
Pepe(PEPE)
€0.000011
15.71%
Peanut das Eichhörnchen(PNUT)
€0.248573
19.26%
Nach oben scrollen