March 15, 2023 By Jonathan Reed 4 min read

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom.

But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.”

Sound too good to be true? This is precisely what happened to an IT manager for a tech manufacturer hit with the Zeppelin Russian ransomware in May 2020.

Ransomware isn’t bulletproof. Decryption tools and services already exist to combat it. Still, should the feds announce when they discover how to crack a strain of ransomware? There’s plenty of room for debate.

The rise of Zeppelin

In August 2022, the Cybersecurity and Infrastructure Security Agency released an alert indicating that from 2019 through at least June 2022, Zeppelin malware targeted a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, tech companies and healthcare organizations.

Zeppelin (formerly known as Vega or VegaLocker) was first discovered in 2019. It was distributed with other financial malware as part of a malvertising operation on Yandex. Direct, a Russian online advertising network. This campaign was aimed at Russian-speaking users (with a focus on people working in accounting) and was designed to have a broad reach.

Later, a significant shift occurred in Zeppelin’s targets from Russian-speaking users to Western countries. Their malware deployment methods also changed, suggesting new threat actors controlled the ransomware. This could have been the result of bad actors purchasing Zeppelin Ransomware-as-a-Service. Or they may have redeveloped the malware from bought, stolen or leaked sources.

Typically, Zeppelin demands ransom payments in Bitcoin, ranging from several thousand dollars to over a million dollars. But the good guys are fighting back.

Zeppelin ransomware decrypted

Recently, KrebsOnSecurity reported that a cybersecurity consulting firm in New Jersey called Unit 221B discovered vulnerabilities in Zeppelin’s malware encryption routines. This enabled the firm to brute-force the decryption keys in hours by leveraging dozens of computer servers.

What motivated Unit 221B to take down Zeppelin? Apparently, the Zeppelin attackers began targeting charities, nonprofits and homeless shelters. As Unit 221B stated in a blog post: “A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

According to Brian Krebs, Unit 221B built a “Live CD” version of Linux that victims could run on infected systems to extract the ransomware’s RSA-512 keys. The keys were loaded into a cluster of 800 code-cracking CPUs donated by hosting giant Digital Ocean. The same donated infrastructure helped victims decrypt their data using the recovered keys.

The Unit 221B good guys are the ones that saved the IT manager mentioned at the beginning of this post. They also rescued over 20 other victims from Zeppelin attacks.

Should the government announce decryption?

One of the dilemmas facing the security community is whether to share information about ransomware decryption. What happens when criminals find out that their encryption has been cracked? They could easily modify their code to counteract decryption efforts.

Law enforcement and IT security companies have joined forces in the No More Ransom project to fight ransomware. This initiative includes the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Center and security firms Kaspersky and McAfee. They aim “to help ransomware victims retrieve their encrypted data without paying the criminals.”

The No More Ransom site features more than 160 decryption tools, each with a How To Guide. Security companies such as Kasperksy, Avast, Emsisoft, BitDefender and Check Point provided the tools.

Don’t know what strain of ransomware infected your computer? Simply use No More Ransom’s Crypto Sheriff function by first uploading an infected file. Then, Crypto Sheriff automatically checks to see whether it has a decryption tool for that ransomware strain in its database. ID Ransomware offers a similar solution.

Don’t pay the ransom

When ransomware strikes an organization, significant pressure builds to pay the ransom. However, security experts in the field and law enforcement agencies advise against paying for the following reasons:

  • There is no guarantee you will get your files back or that the thieves won’t leak or sell stolen data, even if you pay the ransom.
  • The moment someone steals data from a network, liabilities have already accrued. These include a regulatory obligation to report the data breach. Paying the ransom does not eliminate these liabilities.
  • Paying the ransom enables and encourages criminals to continue with their attacks. They can even return to attack a company that previously paid them ransom.

Count on security, not decryption

While there’s a chance good guys could save you with decryption tools, don’t count on it. Instead, you should implement a solid anti-ransomware security plan. Some security measures to consider include:

  • Keep operating systems and applications updated. This includes patching and automating updates. Periodic scans should verify that your operating systems work efficiently.
  • Know your assets and compartmentalize them. Isolate and limit access to those segments that are more exposed to threats.
  • Reduce the likelihood of malicious content reaching your networks. You should configure systems to inspect content and only allow certain file types. Threat intelligence can identify malicious websites, applications and protocols that should be blocked. Blacklisting and whitelisting rules can be established using live threat intelligence feeds.

Organizations should also consider a comprehensive extended detection and response (XDR) solution. This works by collecting and correlating data across various network points. The data is analyzed and correlated to reveal advanced threats. Threats are prioritized, analyzed and sorted to prevent security breaches and data loss.

XDR helps organizations to achieve visibility, automation and contextual security insights. It also provides a single unified workflow across IT tools.

While we applaud ransomware decryption efforts, the real heroes will be those who protect themselves.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today