Zeppelin ransomware decryptor developed

BleepingComputer reports that New Jersey-based cybersecurity consulting firm Unit221b was able to develop a working Zeppelin ransomware decryptor after identifying flaws in the ransomware strain's encryption mechanism following a review of a Blackberry Cylance analysis. Zeppelin has leveraged an ephemeral RSA-512 key for the encryption of the AES key found in each encrypted file's footer, suggesting that cracking the key could result in free file decryption, a report from Unit221b revealed. Registry carving was conducted by researchers on the raw file system, NTUSER.Dat in the "/User/[user_account]/" directory, and the registry.exe memory dumps to facilitate key retrieval, while final RSA-2048 encryption was cracked through 800 central processing units across 20 servers. While a technical report regarding the decryptor was available in February 2020, details were only publicly disclosed now following the significant decline in Zeppelin ransomware victims, according to Unit221b founder Lance James, who added that newer Zeppelin versions could also be decrypted by its tool.