Anna Delaney: The ransomware gang Zepplin came to get punctured by cybercrime karma and with FTX’s collapse, the cycle of cryptocurrency loss continues. These stories and more on this week’s ISMG Security Report. Hello, I’m Anna Delaney. This week, the U.S. celebrates Thanksgiving. Here’s something to be thankful for. Security researchers finding a workaround that has been helping victims of Zepplin ransomware decrypt their files without having to pay a ransom. Filling us in is Mathew Schwartz, ISMG’s executive editor for DataBreachToday and Europe. So Matt, how does Zepplin come to get punctured by a bit of cybercrime karma?
Mathew Schwartz: Well, about two years ago, Anna, two researchers at cybersecurity firm Unit 221B were reviewing a teardown of Zepplin ransomware which was then still new. And they noticed there were a few flaws within the architectures that would open an opportunity for recovery, they say. Specifically, the ransomware, when it hits a computer, generates an RSA-512 public key. And with enough computing power, the researchers were able to crack the key. That meant that every infected system, if correctly handled, could have its encrypted files get decrypted without having to pay a ransom by factoring the public key. And so, Unit 221B shared this information with a small group of others, including law enforcement, to help victims.
Delaney: Could victims decrypt for free?
Schwartz: So, free from having to pay a ransom? Yes. And the service has been getting offered via Unit 221B with the help of others, including hosting giant Digital Ocean, which donated a cluster of CPUs to handle the factoring. Now the researchers also built a live CD version of Linux, the victims can run on an infected system to factor the key. But this isn’t exactly free. So Lance James, who’s the CEO of Unit 221B, and one of the two researchers who identified this workaround, says “Next week, they’re going to release the code, the Live CD and scripts victims can use to unlock Zepplin-locked files via Digital Ocean. Although victims could also pick a different approach. They could, for example, use GPUs via Amazon Web Service instances. And there’s at least one researcher who’s got experience with this that they can put victims in touch with. So James tells me that this won’t be free since factoring is never free. It was donated before by DigitalOcean, and somebody has to pay for these CPUs or GPUs. So from now on, anyone who wants to make use of this workaround, James says, it’s going to be about $250 to crack a key on each individual system. And this script they’ve developed will automatically shut down the machines correctly to save as much cost as possible. Once it’s done, they don’t need the CPUs, they’ll shut it down. So as James told me $250, not free, but it’s cheaper than having to pay a ransom.
Delaney: And what have these lost profits meant for Zepplin?
Schwartz: Well, anything that takes a bite out of cybercrime is to be celebrated and Zepplin’s operators may have been wondering why the ransomware wasn’t as lucrative as they might have hoped. So at least, yet, we don’t have any insight into what was happening inside the group or if it was aware, maybe one of the members of the group will leak their internal chat logs like we saw with Conti and we can all celebrate their collective dissatisfaction. But the group has remained active despite the apparent setback of not getting as much ransoms as it should have, at least until earlier this year. In August, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) noted that from 2019 through at least June this year, attackers had been using Zepplin to target a wide range of businesses and critical infrastructure organizations. Think defense contractors, educational institutions, manufacturers, tech firms and especially organizations like healthcare and medical industries, the ransom is being demanded by Zepplin-wielding attackers ranged from several thousand dollars to more than a million dollars.
Delaney: Matt, how common is it for researchers to quietly find workarounds for ransomware?
Schwartz: It happens. We’ve seen it before with GandCrab, DarkSide, BlackMatter and many more. Encryption is difficult and security researchers are often smart, they’re constantly looking to see if criminals have screwed up something in their coding or implementation. But there is an underlying challenge, which is that if researchers find these flaws and publicize them, attackers are going to quickly fix them. Cybercrime is a business, they want to maximize their profits. So what you see is the likes of this Zepplin workaround being circulated on the QT. So there’s one takeaway I have for any organization that might fall victim to ransomware. It’s this: always reach out to ransomware response firms and an initial consultation should always be free, also reach out to law enforcement even if you don’t end up sharing evidence with them. But as with response firms, they may also know of available workarounds and can put you in touch with the people who can make it happen. Because of the risk of attackers fixing their mistakes, multiple get-out-of-jail cards for free that might be in existence today, or probably still not public knowledge. Help could be just a phone call away.
Delaney: Great insight and advice. As always, thank you so much, Matt.
Schwartz: Thanks, Anna.
Delaney: After the news of the collapse of cryptocurrency exchange FTX, ISMG’s Jeremy Kirk, managing editor for security and technology, recalls his own cryptocurrency adventure and learnings laced with a strong security message.
Jeremy Kirk: A cryptocurrency exchange called FTX collapsed recently and billions of dollars are missing. This is, by far, not the first time an exchange has fallen. After the collapse of the FTX cryptocurrency exchange, I received a small postcard from Japan. The sender was Mt. Gox. A decade ago, I bought a Bitcoin for $12. I was intrigued. The blockchain and the Bitcoins shadowy architects Satoshi Nakamoto were fascinating. It felt mysterious, somewhat rebellious and was a technological marvel. I bought more. I was interested in how trading worked. At that time, Mt. Gox was the biggest cryptocurrency exchange around. It was in Tokyo. It felt wild and exciting, buying private keys for cash wired to Japan, which are then sent by open-source software. At one time, I had 300 Bitcoins, I had no expectation of making money, and the fact that I did was purely by accident. I just wanted to learn how Bitcoin worked. The best way to do that was by trading and seeing how confirmations worked and experimenting. In 2013, the value shot up. My wife and I were expecting. Bitcoin continued to rise and I realized that people are buying this stuff. This is crazy. But anyone who’s seriously looked at Bitcoin and cryptocurrency knows it’s impractical and difficult to secure. As a transactional system, Bitcoin is slow. And where do you store it? Hold it on your computer? What if the hard drive crashes? What if you forget your password or get hacked? Should you just hold it on an exchange? Well, that’s where my Bitcoins were in February 2014 – on Mt. Gox, then Mt. Gox crashed and burned. A security flaw allowed hackers over three years to slowly steal Bitcoins, 850,000 of them, in fact, worth $460 million. It was the biggest bank robbery ever. Mt. Gox entered administration. I had 13 Bitcoins at Mt. Gox at the time, worth about $540 each. It was pure profit. A week before, I’d planned on selling the Bitcoins for cash. We needed baby things and a clothes dryer, then Gox collapsed. I felt dumb. I wasn’t hurt as bad as others, but the money would have helped. A month later, Mt. Gox found 200,000 missing Bitcoins in a cold wallet. There was hope. Over the years, the value of those Bitcoins rose tremendously. The bankruptcy case became one of the strangest ever and one in which the remaining assets of a collapse business increased in value. After many years, Japan’s courts worked out an unprecedented and complicated deal. Creditors would get cash, Bitcoin, or a mix of both. I’ll get a couple of Bitcoins and some cash. It’s like finding a lottery ticket from years ago in the couch cushions. The babies are now nine-years-old, and we had another one as well. Instead of baby things to buy, now there are kid things. Will I sell both of the Bitcoins? Maybe just one, but the point of my tale is that cryptocurrency overall is impractical, risky and as FTX shows, the cycle of steep loss continues. And unlike the unconventional story of Mt. Gox, there may be no reimbursement for those who lost funds ever. Be careful. For Information Security Media Group. I’m Jeremy Kirk.
Delaney: And finally, industry insight from our business editor Michael Novinson who reports that security vendor ExtraHop secures Ex-Check Point executive Chris Scanlan as president. Great to see you, Michael. Michael, you’ve written this week that ExtraHop has snagged high-profile executive Chris Scanlon to help the network security provider reach $500 million in annual recurring revenue. Talk to us more about this move and Chris Scanlan’s background.
Michael Novinson: Absolutely. Thank you for having me on. Chris Scanlan is well-known in the security world, given his resume. He’s held high-level sales positions at Check Point, Cylance as well as at Optiv and he’s been a sales mastermind, some in North America and also some globally, in terms of maturing organizations. And that’s why he was brought in here at ExtraHop. They’re looking to take that next leap. They were acquired early last year by a pair of private equity firms paying Bain Capital and Crosspoint Capital for 900 million. And they’re looking to have the company expand and scale before they exit the business, presumably in the next two to four years or so. So Bain had first brought in Patrick Dennis, earlier this year to be their CEO. He had spent a number of years at EMC and Oracle. And then, Patrick, along with the private equity ownership, selected Chris to come in and be his right-hand man as the president and the chief commercial officer, where he’s been tasked with revamping everything around go to market. So in the case of ExtraHop, they had 140 million of annual recurring revenue last year and thinking about how do we get to that 500-million figure before being in Crosspoint, exit the company in a couple of years. So that’s about maturing the company, bringing in some experienced leadership, creating some systems and processes around marketing and brand awareness, growing the company outside of North America – they’ve been North American-centric – and then also reforming that channel programs so that they’re leveraging MSSPs, value-added resellers, etc. more than they are today. Because just as once you get to a certain size, it’s impossible to serve through a direct sales force. So maybe Cylance is the cleanest example, but how to get them scaled the same way that you have Cylance, and so he’s trying to help them think on that bigger picture.
Delaney: And Michael, recently, we’ve been talking more about layoffs in the tech world than hires, unfortunately. What is ExtraHops thinking here as we go into tougher economic times?
Novinson: It’s a fair question. And there was coverage out of some of the business journals in the Seattle Washington area where they’re based that they did make some headcount reductions last month, but ExtraHop emphasized and their responses is that their overall headcount has expanded by 30%. So it was more, maybe a refinement moving away from less profitable market segments are certainly less profit marketers, trying to figure out where they want to expand. So it doesn’t sound like there’s many further cuts on the horizon, probably are going to be some new executive hires. But some of this is going to be thinking about, especially in the sales world, how much work do we want our direct sales force doing? How much of this can we leverage MSSPs? If you’re leveraging channel partners more that there’s less of a need for folks in the direct sales force side. So it sounds like from my conversations with Chris that there will continue to be gradual headcount growth, nothing dramatic, given the economic times and the need for responsible growth and having a path to profitability. But it does look like going forward, we’re looking at some gradual headcount expansion largely focused on some marketing functions, some education functions, as well as some channel functions to make sure that they can support a larger book of business.
Delaney: Very good. Well, Michael, as ever, thanks so much for this insight.
Novinson: You’re welcome.
Delaney: That’s it from ISMG Security Report. Theme music is by Ithaca Audio. I’m Anna Delaney. Until next time.