Researchers at cybersecurity firm Profero cracked DarkBit ransomware encryption, allowing victims to recover files for free.
Good news for the victims of the DarkBit ransomware, researchers at cybersecurity firm Profero cracked the encryption process, allowing victims to recover files for free without paying the ransom.
However, at this time, the company has yet to release the decryptor.
Israel’s National Cyber Directorate linked the DarkBit ransomware operation to the Iran-nexus threat actor MuddyWater APT group.
In 2023, Profero responded to a DarkBit ransomware attack encrypting multiple VMware ESXi servers, suspected as retaliation for Iranian drone strikes. Attackers did not negotiate the ransom, focusing on operational disruption and an influence campaign to harm the victim’s reputation.
The group, posing as pro-Iran hacktivists, had previously targeted Israeli institutions. In this case, they demanded 80 Bitcoin and included anti-Israel messages in ransom notes, but Profero cracked the encryption, enabling free file recovery.
During analysis of DarkBit ransomware, Profero researchers found its AES-128-CBC key generation method produced weak and predictable keys. Using file timestamps and known VMDK headers, they reduced the keyspace to billions of possibilities, enabling efficient brute-forcing.
“We made use of an AES-128-CBC key breaking harness to test if our theory was correct, as well as a decryptor which would take an encrypted VMDK and a key and IV pair as input to produce the unencrypted file. The harness ran in a high-performance environment, allowing us to speed through the task as quickly as possible, and after a day of brute-forcing, we were successful!” reads the report published by the experts.
“We had proven it was possible, and obtained the key. We then continued to brute force another VMDK, but this method wasn’t scalable for two reasons:
- Each VMDK file would take us a day to decrypt
- The harness sits in an HPC environment and is limited in scaling capability
While expensive, it ended up being possible. We decided to once again take a look at any potential weaknesses in the crypto.”
Profero created a tool to test all possible seeds and generate key and IV pairs, and match them against VMDK headers. This process allowed them to recover the decryption keys. They also leveraged the sparsity of VMDK files, where large portions of content remained unencrypted due to partial encryption by the ransomware, to recover most needed files directly, bypassing brute-force decryption for much of the data.
“VMDK files are sparse, which means they are mostly empty, and therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Statistically, most files contained within the VMDK filesystems won’t be encrypted, and most files inside these file systems were anyways not relevant to us/ our task/ our investigation.” concludes the experts. “So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems… and it worked! Most of the files we needed could simply be recovered without decryption.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
