Breakthrough in Ransomware Fight: Profero Cracks DarkBit Encryption
Good news for the victims of the DarkBit ransomware: researchers at cybersecurity firm Profero have cracked the encryption process, allowing them to recover files for free without paying the ransom. This breakthrough is a significant development in the fight against ransomware attacks.
Israel's National Cyber Directorate has linked the DarkBit ransomware operation to the Iran-nexus threat actor MuddyWater APT group. This connection highlights the sophistication and reach of state-sponsored cyber threats.
In 2023, Profero responded to a DarkBit ransomware attack that encrypted multiple VMware ESXi servers. The attackers had previously targeted Israeli institutions, and this incident was suspected as retaliation for Iranian drone strikes. The group demanded 80 Bitcoin and included anti-Israel messages in their ransom notes.
During analysis of DarkBit ransomware, Profero researchers discovered that the encryption process used a weak and predictable key generation method, based on AES-128-CBC. By utilizing file timestamps and known VMDK headers, they reduced the keyspace to billions of possibilities, enabling efficient brute-forcing.
"We made use of an AES-128-CBC key breaking harness to test if our theory was correct," reads a report published by Profero. "The harness ran in a high-performance environment, allowing us to speed through the task as quickly as possible, and after a day of brute-forcing, we were successful!"
The researchers realized that this method wasn't scalable due to its high cost. However, they continued their investigation, leveraging a tool to test all possible seeds and generate key and IV pairs.
"VMDK files are sparse, which means they are mostly empty," explains Profero. "Therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Statistically, most files contained within the VMDK filesystems won't be encrypted, and most files inside these file systems were anyways not relevant to us/our task/our investigation."
"So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems… and it worked! Most of the files we needed could simply be recovered without decryption," concludes Profero. "This breakthrough paves the way for victims of DarkBit ransomware to recover their files for free, without paying the ransom."
Profero has yet to release the decryptor tool, but this development marks a significant step forward in combatting ransomware attacks.
Follow us on Twitter: @securityaffairs
Facebook and Mastodon:
Stay informed about the latest cybersecurity news and developments by following our social media channels.