Profero successfully cracked the encryption of DarkBit ransomware, enabling victims to recover files without payment. The attack was linked to Iranian cyber activities, and the malware’s weaknesses were exploited to facilitate data recovery. #DarkBit #MuddyWater
Keypoints
- Profero analyzed DarkBit ransomware during a 2023 incident response to a VMware ESXi server attack.
- The attack was believed to be a retaliation for Iranian drone strikes targeting a military factory.
- DarkBit uses a unique AES-128-CBC key encrypted with RSA-2048, but with low entropy, making it vulnerable.
- Researchers leveraged the sparse nature of VMDK files to recover data without full decryption.
- Profero is not releasing the decryptor publicly but offers assistance to future victims.