DarkBit Hackers Target VMware ESXi Servers to Deploy Ransomware and Encrypt VMDK Files

ByAdmin

A newly discovered ransomware campaign, known as DarkBit, has targeted enterprise VMware ESXi environments with military precision. This sophisticated attack employs custom-built encryption tools that specifically hunt for virtual machine disk files across VMFS datastores. The Profero Incident Response Team reports that the DarkBit cybercriminal group has launched a coordinated assault, deploying a C++-based ransomware tool designed to encrypt virtual machine disk images. The malware, identified as esxi.darkbit (SHA256: 0bb1d29ede51d86373e31485d0e24701558e50856722357372518edfb98265a1), systematically targets VMFS datastores, utilising esxcli commands to ensure all virtual machines are stopped before commencing the encryption process. The ransomware forks multiple processes to encrypt files concurrently, specifically targeting extensions such as .vmdk, .vmx, and .nvram. Each encrypted file receives the .DARKBIT extension, rendering critical business systems inoperable.

Security researchers have successfully reverse-engineered the attack methodology and developed breakthrough decryption techniques, revealing critical vulnerabilities in the threat actors’ cryptographic implementation. The ransomware employs AES-128-CBC encryption with RSA-2048 keys, generating unique AES keys and initialisation vectors for each file. The symmetric keys are subsequently encrypted using a hardcoded RSA-2048 public key embedded within the binary. Researchers discovered that the encryption process deliberately skips portions of larger files, creating a finite keyspace of approximately 2^39 possible values due to weaknesses in the random number generator. Incident response teams exploited these vulnerabilities to recover encrypted data without paying ransom demands, leveraging the known VMDK file header structure to perform targeted brute-force attacks against the AES keys. 

Categories: Ransomware Attacks, Cybersecurity Research, Data Recovery Techniques 

Tags: Ransomware, VMware, ESXi, Encryption, Decryption, Cybersecurity, DarkBit, VMFS, AES-128-CBC, RSA-2048 

Leave a Reply

Your email address will not be published. Required fields are marked *