March 15, 2023 By Jonathan Reed 4 min read

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom.

But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.”

Sound too good to be true? This is precisely what happened to an IT manager for a tech manufacturer hit with the Zeppelin Russian ransomware in May 2020.

Ransomware isn’t bulletproof. Decryption tools and services already exist to combat it. Still, should the feds announce when they discover how to crack a strain of ransomware? There’s plenty of room for debate.

The rise of Zeppelin

In August 2022, the Cybersecurity and Infrastructure Security Agency released an alert indicating that from 2019 through at least June 2022, Zeppelin malware targeted a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, tech companies and healthcare organizations.

Zeppelin (formerly known as Vega or VegaLocker) was first discovered in 2019. It was distributed with other financial malware as part of a malvertising operation on Yandex. Direct, a Russian online advertising network. This campaign was aimed at Russian-speaking users (with a focus on people working in accounting) and was designed to have a broad reach.

Later, a significant shift occurred in Zeppelin’s targets from Russian-speaking users to Western countries. Their malware deployment methods also changed, suggesting new threat actors controlled the ransomware. This could have been the result of bad actors purchasing Zeppelin Ransomware-as-a-Service. Or they may have redeveloped the malware from bought, stolen or leaked sources.

Typically, Zeppelin demands ransom payments in Bitcoin, ranging from several thousand dollars to over a million dollars. But the good guys are fighting back.

Zeppelin ransomware decrypted

Recently, KrebsOnSecurity reported that a cybersecurity consulting firm in New Jersey called Unit 221B discovered vulnerabilities in Zeppelin’s malware encryption routines. This enabled the firm to brute-force the decryption keys in hours by leveraging dozens of computer servers.

What motivated Unit 221B to take down Zeppelin? Apparently, the Zeppelin attackers began targeting charities, nonprofits and homeless shelters. As Unit 221B stated in a blog post: “A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

According to Brian Krebs, Unit 221B built a “Live CD” version of Linux that victims could run on infected systems to extract the ransomware’s RSA-512 keys. The keys were loaded into a cluster of 800 code-cracking CPUs donated by hosting giant Digital Ocean. The same donated infrastructure helped victims decrypt their data using the recovered keys.

The Unit 221B good guys are the ones that saved the IT manager mentioned at the beginning of this post. They also rescued over 20 other victims from Zeppelin attacks.

Should the government announce decryption?

One of the dilemmas facing the security community is whether to share information about ransomware decryption. What happens when criminals find out that their encryption has been cracked? They could easily modify their code to counteract decryption efforts.

Law enforcement and IT security companies have joined forces in the No More Ransom project to fight ransomware. This initiative includes the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Center and security firms Kaspersky and McAfee. They aim “to help ransomware victims retrieve their encrypted data without paying the criminals.”

The No More Ransom site features more than 160 decryption tools, each with a How To Guide. Security companies such as Kasperksy, Avast, Emsisoft, BitDefender and Check Point provided the tools.

Don’t know what strain of ransomware infected your computer? Simply use No More Ransom’s Crypto Sheriff function by first uploading an infected file. Then, Crypto Sheriff automatically checks to see whether it has a decryption tool for that ransomware strain in its database. ID Ransomware offers a similar solution.

Don’t pay the ransom

When ransomware strikes an organization, significant pressure builds to pay the ransom. However, security experts in the field and law enforcement agencies advise against paying for the following reasons:

  • There is no guarantee you will get your files back or that the thieves won’t leak or sell stolen data, even if you pay the ransom.
  • The moment someone steals data from a network, liabilities have already accrued. These include a regulatory obligation to report the data breach. Paying the ransom does not eliminate these liabilities.
  • Paying the ransom enables and encourages criminals to continue with their attacks. They can even return to attack a company that previously paid them ransom.

Count on security, not decryption

While there’s a chance good guys could save you with decryption tools, don’t count on it. Instead, you should implement a solid anti-ransomware security plan. Some security measures to consider include:

  • Keep operating systems and applications updated. This includes patching and automating updates. Periodic scans should verify that your operating systems work efficiently.
  • Know your assets and compartmentalize them. Isolate and limit access to those segments that are more exposed to threats.
  • Reduce the likelihood of malicious content reaching your networks. You should configure systems to inspect content and only allow certain file types. Threat intelligence can identify malicious websites, applications and protocols that should be blocked. Blacklisting and whitelisting rules can be established using live threat intelligence feeds.

Organizations should also consider a comprehensive extended detection and response (XDR) solution. This works by collecting and correlating data across various network points. The data is analyzed and correlated to reveal advanced threats. Threats are prioritized, analyzed and sorted to prevent security breaches and data loss.

XDR helps organizations to achieve visibility, automation and contextual security insights. It also provides a single unified workflow across IT tools.

While we applaud ransomware decryption efforts, the real heroes will be those who protect themselves.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today