Security professionals at Unit221b found vulnerabilities in the Zeppelin ransomware encryption mechanism and used them to create a working decryptor that they have been using since 2020 to help victim companies recover files without paying the attackers a penny. The work was carried out covertly so that hackers would not find out about vulnerabilities in their ransomware.
Unit221b was determined to hack Zeppelin after seeing ransomware operators targeting charities, nonprofits and even homeless shelters. Malware analysis from Blackberry Cylance helped the company discover vulnerabilities in the ransomware.
The researchers noticed that Zeppelin uses an ephemeral 512-bit RSA key to encrypt the AES key, which prevents the victim from accessing the encrypted data. The AES key was stored in the footer of each encrypted file, so if someone could crack the RSA-512 key, they would be able to decrypt the files without paying the attackers.
Specialists from Unit221b found that the public key remained in the registry of the infected system for about five minutes after the data encryption was completed. The key could be extracted in three ways - by cutting the registry data from the raw file system, registry.exe memory dump, and directly from the NTUSER.Dat file in the "/User/[username]/" directory. The resulting data was obfuscated using RC4. Once the experts figured out this encryption layer, they had to overcome the last obstacle - the encryption layer using RSA-2048.
To overcome this hurdle, Unit221b used a total of 800 CPUs across 20 servers, each handling small portions of the key. Six hours later, the key was cracked, and analysts were able to extract the AES key from the footer of the file.
Unit221b founder Lance James told BleepingComputer that the company decided to make the details public because Zeppelin ransomware victims have dropped significantly in recent months. Lance said the decryption tool should work even with the latest versions of Zeppelin and will be available to all victims who leave a request.