Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom.

But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.”

Sound too good to be true? This is precisely what happened to an IT manager for a tech manufacturer hit with the Zeppelin Russian ransomware in May 2020.

Ransomware isn’t bulletproof. Decryption tools and services already exist to combat it. Still, should the feds announce when they discover how to crack a strain of ransomware? There’s plenty of room for debate.

The rise of Zeppelin

In August 2022, the Cybersecurity and Infrastructure Security Agency released an alert indicating that from 2019 through at least June 2022, Zeppelin malware targeted a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, tech companies and healthcare organizations.

Zeppelin (formerly known as Vega or VegaLocker) was first discovered in 2019. It was distributed with other financial malware as part of a malvertising operation on Yandex. Direct, a Russian online advertising network. This campaign was aimed at Russian-speaking users (with a focus on people working in accounting) and was designed to have a broad reach.

Later, a significant shift occurred in Zeppelin’s targets from Russian-speaking users to Western countries. Their malware deployment methods also changed, suggesting new threat actors controlled the ransomware. This could have been the result of bad actors purchasing Zeppelin Ransomware-as-a-Service. Or they may have redeveloped the malware from bought, stolen or leaked sources.

Typically, Zeppelin demands ransom payments in Bitcoin, ranging from several thousand dollars to over a million dollars. But the good guys are fighting back.

Zeppelin ransomware decrypted

Recently, KrebsOnSecurity reported that a cybersecurity consulting firm in New Jersey called Unit 221B discovered vulnerabilities in Zeppelin’s malware encryption routines. This enabled the firm to brute-force the decryption keys in hours by leveraging dozens of computer servers.

What motivated Unit 221B to take down Zeppelin? Apparently, the Zeppelin attackers began targeting charities, nonprofits and homeless shelters. As Unit 221B stated in a blog post: “A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

According to Brian Krebs, Unit 221B built a “Live CD” version of Linux that victims could run on infected systems to extract the ransomware’s RSA-512 keys. The keys were loaded into a cluster of 800 code-cracking CPUs donated by hosting giant Digital Ocean. The same donated infrastructure helped victims decrypt their data using the recovered keys.

The Unit 221B good guys are the ones that saved the IT manager mentioned at the beginning of this post. They also rescued over 20 other victims from Zeppelin attacks.

Should the government announce decryption?

One of the dilemmas facing the security community is whether to share information about ransomware decryption. What happens when criminals find out that their encryption has been cracked? They could easily modify their code to counteract decryption efforts.

Law enforcement and IT security companies have joined forces in the No More Ransom project to fight ransomware. This initiative includes the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Center and security firms Kaspersky and McAfee. They aim “to help ransomware victims retrieve their encrypted data without paying the criminals.”

The No More Ransom site features more than 160 decryption tools, each with a How To Guide. Security companies such as Kasperksy, Avast, Emsisoft, BitDefender and Check Point provided the tools.

Don’t know what strain of ransomware infected your computer? Simply use No More Ransom’s Crypto Sheriff function by first uploading an infected file. Then, Crypto Sheriff automatically checks to see whether it has a decryption tool for that ransomware strain in its database. ID Ransomware offers a similar solution.

Don’t pay the ransom

When ransomware strikes an organization, significant pressure builds to pay the ransom. However, security experts in the field and law enforcement agencies advise against paying for the following reasons:

• There is no guarantee you will get your files back or that the thieves won’t leak or sell stolen data, even if you pay the ransom.
• The moment someone steals data from a network, liabilities have already accrued. These include a regulatory obligation to report the data breach. Paying the ransom does not eliminate these liabilities.
• Paying the ransom enables and encourages criminals to continue with their attacks. They can even return to attack a company that previously paid them ransom.

Count on security, not decryption

While there’s a chance good guys could save you with decryption tools, don’t count on it. Instead, you should implement a solid anti-ransomware security plan. Some security measures to consider include:

• Keep operating systems and applications updated. This includes patching and automating updates. Periodic scans should verify that your operating systems work efficiently.
• Know your assets and compartmentalize them. Isolate and limit access to those segments that are more exposed to threats.
• Reduce the likelihood of malicious content reaching your networks. You should configure systems to inspect content and only allow certain file types. Threat intelligence can identify malicious websites, applications and protocols that should be blocked. Blacklisting and whitelisting rules can be established using live threat intelligence feeds.

Organizations should also consider a comprehensive extended detection and response (XDR) solution. This works by collecting and correlating data across various network points. The data is analyzed and correlated to reveal advanced threats. Threats are prioritized, analyzed and sorted to prevent security breaches and data loss.

XDR helps organizations to achieve visibility, automation and contextual security insights. It also provides a single unified workflow across IT tools.

While we applaud ransomware decryption efforts, the real heroes will be those who protect themselves.