Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom.

But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.”

Sound too good to be true? This is precisely what happened to an IT manager for a tech manufacturer hit with the Zeppelin Russian ransomware in May 2020.

Ransomware isn’t bulletproof. Decryption tools and services already exist to combat it. Still, should the feds announce when they discover how to crack a strain of ransomware? There’s plenty of room for debate.

The Rise of Zeppelin

In August 2022, the Cybersecurity and Infrastructure Security Agency released an alert indicating that from 2019 through at least June 2022, Zeppelin malware targeted a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, tech companies and healthcare organizations.

Zeppelin (formerly known as Vega or VegaLocker) was first discovered in 2019. It was distributed with other financial malware as part of a malvertising operation on Yandex. Direct, a Russian online advertising network. This campaign was aimed at Russian-speaking users (with a focus on people working in accounting) and was designed to have a broad reach.

Later, a significant shift occurred in Zeppelin’s targets from Russian-speaking users to Western countries. Their malware deployment methods also changed, suggesting new threat actors controlled the ransomware. This could have been the result of bad actors purchasing Zeppelin Ransomware-as-a-Service. Or they may have redeveloped the malware from bought, stolen or leaked sources.

Typically, Zeppelin demands ransom payments in Bitcoin, ranging from several thousand dollars to over a million dollars. But the good guys are fighting back.

Zeppelin Ransomware Decrypted

Recently, KrebsOnSecurity reported that a cybersecurity consulting firm in New Jersey called Unit 221B discovered vulnerabilities in Zeppelin’s malware encryption routines. This enabled the firm to brute-force the decryption keys in hours by leveraging dozens of computer servers.

What motivated Unit 221B to take down Zeppelin? Apparently, the Zeppelin attackers began targeting charities, nonprofits and homeless shelters. As Unit 221B stated in a blog post: “A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

According to Brian Krebs, Unit 221B built a “Live CD” version of Linux that victims could run on infected systems to extract the ransomware’s RSA-512 keys. The keys were loaded into a cluster of 800 code-cracking CPUs donated by hosting giant Digital Ocean. The same donated infrastructure helped victims decrypt their data using the recovered keys.

The Unit 221B good guys are the ones that saved the IT manager mentioned at the beginning of this post. They also rescued over 20 other victims from Zeppelin attacks.

Should the Government Announce Decryption?

One of the dilemmas facing the security community is whether to share information about ransomware decryption. What happens when criminals find out that their encryption has been cracked? They could easily modify their code to counteract decryption efforts.

Law enforcement and IT security companies have joined forces in the No More Ransom project to fight ransomware. This initiative includes the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Center and security firms Kaspersky and McAfee. They aim “to help ransomware victims retrieve their encrypted data without paying the criminals.”

The No More Ransom site features more than 160 decryption tools, each with a How To Guide. Security companies such as Kasperksy, Avast, Emsisoft, BitDefender and Check Point provided the tools.

Don’t know what strain of ransomware infected your computer? Simply use No More Ransom’s Crypto Sheriff function by first uploading an infected file. Then, Crypto Sheriff automatically checks to see whether it has a decryption tool for that ransomware strain in its database. ID Ransomware offers a similar solution.

Don’t Pay the Ransom

When ransomware strikes an organization, significant pressure builds to pay the ransom. However, security experts in the field and law enforcement agencies advise against paying for the following reasons:

  • There is no guarantee you will get your files back or that the thieves won’t leak or sell stolen data, even if you pay the ransom.
  • The moment someone steals data from a network, liabilities have already accrued. These include a regulatory obligation to report the data breach. Paying the ransom does not eliminate these liabilities.
  • Paying the ransom enables and encourages criminals to continue with their attacks. They can even return to attack a company that previously paid them ransom.

Count on Security, Not Decryption

While there’s a chance good guys could save you with decryption tools, don’t count on it. Instead, you should implement a solid anti-ransomware security plan. Some security measures to consider include:

  • Keep operating systems and applications updated. This includes patching and automating updates. Periodic scans should verify that your operating systems work efficiently.
  • Know your assets and compartmentalize them. Isolate and limit access to those segments that are more exposed to threats.
  • Reduce the likelihood of malicious content reaching your networks. You should configure systems to inspect content and only allow certain file types. Threat intelligence can identify malicious websites, applications and protocols that should be blocked. Blacklisting and whitelisting rules can be established using live threat intelligence feeds.

Organizations should also consider a comprehensive extended detection and response (XDR) solution. This works by collecting and correlating data across various network points. The data is analyzed and correlated to reveal advanced threats. Threats are prioritized, analyzed and sorted to prevent security breaches and data loss.

XDR helps organizations to achieve visibility, automation and contextual security insights. It also provides a single unified workflow across IT tools.

While we applaud ransomware decryption efforts, the real heroes will be those who protect themselves.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read