MuddyWater’s DarkBit Ransomware Cracked: Free Data Recovery for Victims

In a significant breakthrough, cybersecurity firm Profero has successfully cracked the encryption of MuddyWater's DarkBit ransomware gang's encryptors. This development allows victims to recover their files without paying a ransom. The incident occurred in 2023 during an investigation handled by Profero experts, who were brought in to investigate a ransomware attack on one of their clients.

A Retaliatory Attack Against Iran

The timing of the cyberattack suggests that it was in retaliation for the 2023 drone strikes in Iran that targeted an ammunition factory belonging to the Iranian Defence Ministry. The attackers claimed to be from DarkBit, who previously posed as pro-Iranian hacktivists, targeting educational institutes in Israel. Anti-Israel statements were included in their ransom notes, demanding ransom payments of 80 Bitcoin.

A Nation-State Actor's Signature

Israel's National Cyber Command linked DarkBit attacks to the Iranian state-sponsored APT hacking group known as MuddyWater, who have a history of conducting cyberespionage attacks. The attackers in this incident did not engage in ransom payment negotiations but instead appeared to be more interested in causing operational disruption.

A Unique Encryption Method

DarkBit uses a unique AES-128-CBC key and Initialization Vector (IV) generated at runtime for each file, encrypted with RSA-2048, and appended to the locked file. Profero researchers found that the key generation method used by DarkBit is low entropy. When combined with the encryption timestamp, which can be inferred from file modification times, the total keyspace is reduced to a few billion possibilities.

A High-Performance Computing Environment

Profero built a tool to try all possible seeds, generate candidate key/IV pairs, and check against VMDK headers. They ran this in a high-performance computing environment, recovering valid decryption keys. In parallel, the researchers discovered that much of the VMDK file content hadn't been impacted by DarkBit's intermittent encryption.

A Breakthrough in File Recovery

The team realized that VMDK files are sparse, which means they are mostly empty. This allowed them to retrieve significant amounts of valuable data without having to decrypt it by brute-forcing keys. They walked the file system to extract what was left of the internal VMDK filesystems and were able to recover most of the needed files simply.

A Lesson in Ransomware Tactics

Profero noted that DarkBit's objectives would have been better served with a data wiper rather than ransomware. The attackers' refusal to negotiate left them no choice but to dissect the malware's encryption in search of a recovery method.

Help for Future Victims

While Profero is not publicly releasing the DarkBit decryptor, they told BleepingComputer that future victims can contact them for assistance.