Threat Research

Cyble – Uncovering The Dark Side Of DarkBit Ransomware

Securonix

DarkBit ransomware targeted a large Israeli university with politically motivated aims, and Cyble Research and Intelligence Labs analyzed its Go-based binary, encryption behavior, and public messaging around motives. The attackers’ ransom note, Twitter bio, and Tor/TOX references suggest hacktivist-style intent and potential internal factors behind the incident. #DarkBit #DarkBitRansomware

Keypoints

  • The operation appears politically motivated, with the threat actor(s) opposing racism and apartheid per DarkBit’s public posts.
  • DarkBit reportedly compromised one of Israel’s largest universities, with actor identity still under investigation.
  • The ransomware is a Windows Go binary that creates a global mutex to ensure a single running instance.
  • It enumerates drives, deletes shadow copies via vssadmin, and then encrypts files using multithreading.
  • Large files are segmented according to a configuration that limits each part and overall file size, with a .Darkbit extension for encrypted files and a DARKBIT_ENCRYPTED_FILES marker.
  • The attack drops a ransom note (RECOVERY_DARKBIT.txt) and provides contact channels (TOX/TOR) and a threat to sell data if the ransom isn’t paid.
  • Files/folders are excluded from encryption based on hardcoded extensions, filenames, and directories within the binary configuration.

MITRE Techniques

  • [T1204] User Execution – Part of the execution flow per MITRE mapping; “User Execution”
  • [T1486] Data encrypted for impact – The ransomware encrypts files on the victim’s machine, appending the “.Darkbit” extension to the encrypted files. “encrypts files on the victim’s machine, appending the “.Darkbit” extension to the encrypted files.”
  • [T1490] Inhibit System Recovery – It deletes shadow copies on the victim’s machine. “delete shadow copies on the victim’s machine”
  • [T1082] System Information Discovery – The ransomware calls GetLogicalDrives() to identify all mounted drives and GetDriveType() to determine drive types. “The Ransomware calls the GetLogicalDrives() API to identify all mounted drives and the GetDriveType() API to determine the drive type of each drive on the victim’s machine.”
  • [T1083] File and Directory Discovery – It enumerates files in the identified drives. “enumerates files in the identified drives.”

Indicators of Compromise

  • [Mutex] Global mutex for single-instance execution – Globaldbdbdbdb
  • [SHA256] DarkBit executable – 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff
  • [Filename] Ransom note – RECOVERY_DARKBIT.txt
  • [Extension] Encrypted file extension – .Darkbit
  • [Marker] End-of-encrypted-file marker – DARKBIT_ENCRYPTED_FILES

Read more: https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/