BleepingComputer reports that the DarkBit ransomware operation had its encryptors used in a ransomware attack aimed at VMware ESXi servers two years ago cracked by Profero researchers.
Analysis of the malware, which was leveraged in an intrusion suspected to have been conducted in response to Iranian drone strikes in 2023, revealed DarkBit's utilization of a unique AES-128-CBC key and runtime-generated Initialization Vector with RSA-2048 encryption. After discovering a more limited total keyspace based on DarkBit's low entropy key generation technique and encryption timestamp, as well as the need to brute force only the first 16 bytes of Virtual Machine Disk files on ESXi servers, Profero researchers were able to develop a tool that showed the lack of intermittent encryption across most of the VMDK file content. "So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems... and it worked! Most of the files we needed could simply be recovered without decryption," said Profero, which has expressed willingness to assist DarkBit victims as it refused to publicly issue the decryptor.
Analysis of the malware, which was leveraged in an intrusion suspected to have been conducted in response to Iranian drone strikes in 2023, revealed DarkBit's utilization of a unique AES-128-CBC key and runtime-generated Initialization Vector with RSA-2048 encryption. After discovering a more limited total keyspace based on DarkBit's low entropy key generation technique and encryption timestamp, as well as the need to brute force only the first 16 bytes of Virtual Machine Disk files on ESXi servers, Profero researchers were able to develop a tool that showed the lack of intermittent encryption across most of the VMDK file content. "So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems... and it worked! Most of the files we needed could simply be recovered without decryption," said Profero, which has expressed willingness to assist DarkBit victims as it refused to publicly issue the decryptor.
