Researchers Quietly Cracked Zeppelin Ransomware Keys (krebsonsecurity.com) 24
Brian Krebs writes via KrebsOnSecurity: Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder -- Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.
In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]
The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.
In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]
The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.
Good thing criminals are dumb (Score:5, Insightful)
Everyone knows you don't roll your own crypto.
Re: (Score:2)
And neither the "dept" nor any comments so far respect proper refs on a story of a downed zeppelin. Oh the humanity!
Re: (Score:1)
Re: (Score:2)
From TFA:
"The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]
Re: (Score:1)
There are other ransomware groups out there yes? I'm saying in general announcing companies that can crack ransomware seems like a bad idea.
Re: Crowing about advances ? (Score:2)
Re: (Score:2)
Are you feeling OK? Do you have a phone number for the Samaritans? If not, their number is welded onto the guard rail on the Forth Road Bridge.
I barely even read the summary, but... (Score:2)
Asking for a friend.
Re: (Score:2, Informative)
Minimum recommendation is 2048 bits. RSA-512 keys have been cracked and using 512 bits has been considered insecure for 20+ years.
Re:I barely even read the summary, but... (Score:4, Informative)
In 1991 a RSA factoring challenge was issued. The contest ended in 2007. RSA512 was factored in 1999.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Be aware in the early days RSA was numbered based on decimal digit length, so RSA512 would be referred to as RSA155 (155 decimal digits, 512 binary digits).
Note that the latest one factored is RSA250 (828 bits) in 2020, which is getting uncomfortably close to 1024 (especially if you use degenerate keys). RSA2048 should last a good long while yet and if you're paranoid, there is RSA4096
Also remember this was likely done using contemporary equipment of the day so RSA512 is probably trivially crackable within days using massive cloud computers and such.
Re: (Score:2)
So my next questions would be... why didn't the Bad Guys use longer keys? It doesn't cost anything.
Re: (Score:2)
More importantly, because there is a time window during which the decryption keys are potentially accessible in memory, then getting the encryption step done as quickly as possible remains sensible.
To the victim, finding out what the key length used in your case would probably be a very unimportant task compared to identifying the attack, checking the back-ups (all of them !) and searching for mitigations - while figuring out if the attackers have a r
RSA-512 (Score:2)
Seriously? Who uses that? It seems like so dumb a decision it has to be deliberate, but to what end? Maybe they figured to make it crackable if they lose the keys or feel regret?
Re: (Score:2)
> Maybe they figured to make it crackable if they lose the keys or feel regret?
Perhaps it's so that certain people who can fire drone-based missiles at their office building will have other options.
Note to self: don't talk to Brian Krebs (Score:1)
"Peter, who spoke candidly about the attack on condition of anonymity, said..."
Microsoft malware strikes again (Score:2)