Cybersecurity firm Profero has successfully cracked the encryption used by DarkBit ransomware, allowing victims to recover their files without paying a ransom. While the decryptor hasn't been released yet, the breakthrough offers hope to those affected.
DarkBit has been linked to Iran-affiliated MuddyWater APT and previously targeted Israeli institutions. In one 2023 attack, the group encrypted VMware ESXi servers and demanded 80 Bitcoin, embedding anti-Israel messages in ransom notes. The focus was more on disruption and propaganda than financial gain.
Profero discovered that DarkBit’s AES-128-CBC encryption used weak, predictable keys. By analyzing file timestamps and VMDK headers, they reduced the keyspace and brute-forced decryption in a high-performance computing environment. Though each file took a day to decrypt, they found a workaround.
Instead of brute-forcing every file, Profero leveraged the sparsity of VMDK files—many parts were left unencrypted. This allowed them to extract most needed data directly from the file system without full decryption.
The researchers proved recovery was possible and are now refining their methods to help more victims efficiently.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
