Cybersecurity researchers have successfully cracked the encryption used by DarkBit ransomware, enabling victims to recover their files for free without paying ransom demands. This breakthrough occurred during a 2023 incident response case and represents a significant victory against politically motivated cyber attacks.
Background of the Attack
DarkBit ransomware emerged as part of a geopolitically motivated attack rather than a typical profit-driven cybercrime operation. The ransomware has been linked to Iran-nexus MuddyWater APT group, a state-sponsored hacking organization known for conducting cyberespionage attacks.
The specific attack that led to this breakthrough occurred in 2023, targeting multiple VMware ESXi servers. The timing suggested it was retaliation for Iranian drone strikes that targeted an ammunition factory belonging to the Iranian Defence Ministry. The attackers demanded 80 Bitcoin and included anti-Israel messages in their ransom notes, but notably refused to engage in ransom negotiations, focusing instead on operational disruption and reputational damage.
Technical Details of the Encryption Flaw
DarkBit ransomware uses a sophisticated encryption scheme that initially appeared robust:
- AES-128-CBC encryption with unique keys and Initialization Vectors (IV) generated at runtime for each file
- RSA-2048 encryption for protecting the keys
- Keys are appended to encrypted files
However, researchers discovered critical weaknesses in the implementation:
Key Generation Vulnerability
The researchers found that DarkBit’s key generation method produced weak and predictable keys due to low entropy. When combined with encryption timestamps that could be inferred from file modification times, the total keyspace was reduced to just a few billion possibilities—a manageable number for brute-force attacks.
VMDK File Structure Exploitation
The breakthrough was particularly effective against Virtual Machine Disk (VMDK) files on ESXi servers because:
- VMDK files have known header bytes, allowing researchers to test decryption attempts against predictable patterns
- They only needed to brute-force the first 16 bytes to verify if the header matched correctly
- VMDK files are sparse (mostly empty), meaning much of the file content wasn’t actually encrypted
The Decryption Process
Specialized tools were built to exploit these weaknesses:
- Brute-force harness: Generated candidate key/IV pairs and tested them against VMDK headers in a high-performance computing environment
- File system recovery: Extracted unencrypted portions from sparse VMDK files without needing decryption
VMDK files are sparse, which means they are mostly empty, and therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Most of the files needed could simply be recovered without decryption.
After one day of brute-forcing, the encryption keys were successfully recovered.
Impact and Availability
While this represents a major victory for ransomware victims, there are important limitations:
- The decryptor tool is not publicly released
- Instead, direct assistance to victims is offered to those who contact security researchers for help
- This targeted support approach ensures both effective recovery and operational security
The researchers noted that DarkBit’s objectives would have been better served with a data wiper rather than ransomware, since their refusal to negotiate left victims no choice but to find alternative recovery methods.
