Encryption error researchers exploited to recover without paying ransom
As the United States celebrates Thanksgiving, let’s give thanks for this cybercriminal karma related to the Zeppelin ransomware. For two years, law enforcement and security experts have quietly helped victims decrypt their systems without paying a ransom.
So Lance James and Joel Lathrop of cybersecurity firm Unit 221B wrote in a December 2019 blog post reviewing Zeppelin’s teardown published by cybersecurity firm Cyble that “Zeppelin’s architecture has several flaws. I realized something that would open up an opportunity for recovery.”
In a blog post released to coincide with James’ presentation this month, Black Hat Middle East and Africa At the meeting, they added:
Researchers have discovered that Zeppelin (aka Buran) uses several different types of encryption. However, by factoring the RSA-512 public key generated on each infected system, he was able to obtain the master key to decrypt all files. In February 2020, Unit 221B shared this information via “private access to assist law enforcement and protect victims of these attacks.”
Unit 221B “also built a ‘Live CD’ version of Linux that a victim can run on an infected system to extract the RSA-512 key,” reports the security blogger. Brian Krebs“From there, we loaded the keys onto a cluster of 800 CPUs donated by hosting the giant Digital Ocean and started cracking them. The company also used the same donated infrastructure. to allow the victim to use the recovered key to decrypt the data.”
The service was provided free of charge to victims, but like many aspects of ransomware recovery, it’s not without costs. This would require him to crack the RSA-512 public key on each compromised system.“Factoring is never free,” James says. But while the company plans to “release the code, Live CD, and scripts to do it yourself on Digital Ocean” on Monday, the victim has taken a different approach, including using his Amazon Web Services GPU instance. may also choose to.
“Based on Digital Ocean’s current pricing, we believe it will cost users about $250 to crack the key,” says James. “Our script automatically shuts down the machine correctly to save as much cost as possible. Factoring requires CPU time from somewhere (or the GPU), which is usually some It’s a cost in the form of money, but the cost is negligible compared to paying the ransom.”
Early Targets: Technology and Healthcare
Zeppelin began operating its Russian-language ransomware as a service in November 2019, sporting a version of its Delphi ransomware. BlackBerry Cylance Threat Research Team Details at the time. Unusually, the Vega was designed for shotgun-style assault (quantity over quality) against Russian targets.
Shortly thereafter, the Zeppelin turned west. “The first samples of Zeppelin were found targeting a handful of select technology and healthcare companies in Europe and the United States,” reports BlackBerry Cylance researchers. “As a total opposition to the Vega campaign, all Zeppelin his binaries will be stopped if they are running on machines based in Russia and some other former Soviet countries that are part of the Commonwealth of Independent States It is designed to.” According to experts, malware is often phishing attack When Compromise of Remote Desktop Protocol.
After debuting in 2019, Zeppelin went on a temporary hiatus and announced in August 2020 that New version available.
“From 2019 through at least June 2022, attackers will use this malware to target a wide range of enterprises and critical enterprises, including defense contractors, educational institutions, manufacturers, technology companies, and organizations in the healthcare and medical industry, among others. It targets infrastructure organizations.” U.S. Cybersecurity Infrastructure and Security Agency I warned you in my August alert. “Zeppelin attackers have been known to demand ransom payments in bitcoin, with initial amounts ranging from a few thousand dollars to over a million dollars for him.”
The Vice Society ransomware group appears to have been one of Zeppelin’s users (see below). An unscrupulous society dealing with various types of ransomware).
According to authorities, Zeppelin can be deployed multiple times within a victim’s environment. “The FBI has observed Zeppelin actors executing malware multiple times within a victim’s network, creating different IDs or file extensions for each instance of the attack. You will need a unique decryption key.” to the CISA warning.
Thank you for errors, retirements and arrests
The Zeppelin workaround discovered by Unit 221B is said to have helped at least 20 victims, but it’s not the first time victims have been able to crack encrypted systems without paying a ransom. . In fact, you can do the same with GandCrab, Ziggy, DarkSide, BlackMatter, and more.
This situation can occur in a number of ways, including:
- error: As with many legitimate products, encryption is difficult to implement correctly, and developers building ransomware face similar challenges.
- police: If law enforcement infiltrates criminal infrastructure, like the FBI did REvil/Sodinokibi Last year – or after arresting the mastermind, you may recover master keys that security companies can use to create free decryption tools. Many of these are cataloged and No more ransom business.
- retirement: Some ransomware gangs – including Abaddon, Ziggy Etc. – they claim to call it termination, freeing up master keys for all victims and facilitating the development of decryption tools (see below). ‘Fear’ likely pulled Abaddon out of the ransomware war).
spread the word
Decryption without paying a ransom does not prevent an organization from falling victim to ransomware and typically requires costly and time-consuming incident response efforts to clean up the mess. . This means that the best defense against ransomware is to implement the best defenses and well-executed plans to block the attack completely and minimize the damage if it does. It reminds me of
Of course, the availability of a free ransomware decryptor should always be celebrated.
But sneakily disseminating the workaround means that some victims may be unaware of its existence.This week’s Tuesday queue comment At the bottom of Unit 221B’s blog post, “We are a hospital here. We were attacked by this ransomware virus 3 years ago. We have not decrypted it yet. Can you provide a decryption tool? ”
In response to the post, James of 221B Unit said, “We are dealing with them and we are going to help them.”
This episode highlights this challenge. don’t make it public. Some victims do not benefit.
We impose this obligation on all ransomware victims: You should always contact a ransomware response company and the initial consultation is always free. If possible, also contact law enforcement to check for available workarounds. For all the above reasons, not all ransomware “jailbreak” cards are known to the public. Help – provided in QT – just a phone call away (see below: Note to Ransomware Victims: Asking for Help Can Save You Money).