Threat Research

DarkBit Ransomware Targets Israel with Command-Line Options and Optimized Encryption Routines

Securonix

DarkBit is a new ransomware strain that targeted Technion in Israel, encrypting files and demanding a Bitcoin ransom. The group uses a branded onion site and social media to publicize the attack and promote geopolitical messaging. #DarkBit #Technion #Onion #Tor #Telegram #Twitter

Keypoints

  • DarkBit is a Golang-compiled ransomware that attacked Technion – Israel Institute of Technology.
  • The malware encrypts files with AES-256, appends the “.Darkbit” extension, and leaves a ransom note named “RECOVERY_DARKBIT.txt”.
  • It supports command-line execution with options (e.g., -all, -domain, -path, -t, -username), enabling autonomous operation.
  • Shadow copies are deleted via vssadmin to hinder data recovery (Inhibit System Recovery).
  • DarkBit uses Tor (.onion) and TOX for infrastructure and has a public payment/support page.
  • Initial ransom was 80 BTC (~$1.87M at the time); a 48-hour delay adds a 30% penalty.
  • DarkBit maintains public messaging on Telegram and Twitter, and attribution remains uncertain.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The ransomware encrypts the victim’s device by default, employing AES-256 during its encryption routine and affects a wide range of file types. “The ransomware … encrypts the victim’s device by default, employing Advanced Encryption Standard 256-bits (AES-256) during its encryption routine, and impacts a wide range of file types.”
  • [T1059.003] Command-Line Interface – Executing the malware via the command-line can be done with multiple optional arguments. “Executing the malware via the command-line can be done with multiple optional arguments, as seen below:”
  • [T1490] Inhibit System Recovery – The malware invokes vssadmin to delete shadow copies to prevent recovery. “Upon execution, the malware will call vssadmin.exe, the localized Windows® administrative tool for shadow copies… The malware then attempts to run this command to delete shadow copies in order to prevent the victim organization from performing data recovery: vssadmin.exe delete shadow /all /Quiet”

Indicators of Compromise

  • [Hashes] MD5 and SHA-256 – 9880fae6551d1e9ee921f39751a6f3c0, 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff
  • [File Name] Ransom Note – recovery_darkbit.txt
  • [Mutex in the System] Globaldbdbdbdb
  • [Network Indicators] Onion URL – hxxp://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad[.]onion/support, TOX ID – AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC

Read more: https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint