Researchers at the cybersecurity firm Profero have successfully cracked the encryption used by the DarkBit ransomware, offering a lifeline to victims who can now recover their encrypted files for free. This breakthrough, which has yet to lead to a publicly released decryptor, comes after Profero’s analysis of a DarkBit attack on VMware ESXi servers. The attack, believed to be the work of the Iran-nexus threat actor MuddyWater, was more focused on causing operational disruption and reputational damage than on financial gain. Attackers, who posed as pro-Iran hacktivists, demanded 80 Bitcoin and included anti-Israel messages in their ransom notes, refusing to negotiate with their targets.
Profero’s success hinged on discovering a critical flaw in the ransomware’s encryption process. During their analysis, researchers found that the AES-128-CBC key generation method used by DarkBit was weak and predictable. The ransomware produced keys that weren’t truly random, making them susceptible to being reverse-engineered. By using file timestamps and known VMDK headers, the Profero team was able to significantly reduce the number of potential keys, turning a seemingly impossible task into a manageable one. This insight allowed them to begin the process of brute-forcing the encryption keys.
Initially, the researchers built a tool to test their theory, using a key-breaking harness in a high-performance computing environment. They successfully brute-forced the encryption for one encrypted VMDK file, a process that took an entire day. While this proved that decryption was possible, it wasn’t a scalable solution. The team recognized that this method was too time-consuming and expensive to be practical for widespread use. This realization prompted them to look for additional weaknesses in the ransomware’s cryptographic implementation, leading to a more efficient and scalable solution for decryption.
To overcome the limitations of the initial brute-force method, Profero’s team developed a new tool that could efficiently recover decryption keys. This tool was designed to test all possible “seeds” and generate the correct key and IV (Initialization Vector) pairs. It then matched these pairs against known VMDK headers to identify the correct decryption keys. This process proved much faster and more scalable than their initial brute-force approach. Furthermore, the researchers discovered that due to the sparse nature of VMDK files, a significant portion of the data remained unencrypted. This allowed them to directly recover most of the needed files without decryption, bypassing the brute-force process entirely for much of the data.
The successful cracking of the DarkBit ransomware’s encryption is a major victory for cybersecurity and a significant relief for its victims. Profero’s work provides a clear path for companies and individuals to regain access to their data without having to give in to the demands of the attackers. While the public release of a decryptor is still pending, the research confirms that paying the ransom is unnecessary. This development not only helps current victims but also undermines the business model of ransomware groups like MuddyWater, proving that their attacks can be defeated and their financial motivations thwarted.
Reference:
