Free Data Recovery Solution for MuddyWater’s DarkBit Ransomware: How to Crack the Code

In 2023, the cybersecurity firm Profero successfully cracked the encryption used by the DarkBit ransomware gang, enabling them to recover a victim’s files without the need to pay a ransom. This incident occurred during an investigation into a ransomware attack that had encrypted multiple VMware ESXi servers belonging to one of Profero’s clients. The timing of the attack suggested it was a retaliatory measure following drone strikes in Iran that targeted an ammunition factory linked to the Iranian Defence Ministry. The attackers, claiming to be from DarkBit, had previously posed as pro-Iranian hacktivists and targeted educational institutions in Israel, demanding a ransom of 80 Bitcoin while including anti-Israel rhetoric in their communications.

Profero’s investigation revealed that the DarkBit ransomware was linked to the Iranian state-sponsored APT hacking group known as MuddyWater, which has a history of cyberespionage. Unlike typical ransomware scenarios, the attackers did not engage in ransom negotiations but focused on causing operational disruption and reputational damage to the victim. At the time of the attack, no decryptor was available for DarkBit ransomware. Profero’s researchers analysed the malware and discovered weaknesses in its encryption method, which used a low-entropy key generation process. By leveraging the known header bytes of Virtual Machine Disk (VMDK) files, Profero developed a tool to brute-force the first 16 bytes, significantly reducing the keyspace. This innovative approach, combined with the sparse nature of VMDK files, allowed Profero to recover substantial amounts of data without needing to decrypt every file. 

Categories: Cybersecurity, Ransomware, Incident Response 

Tags: Profero, DarkBit, Ransomware, Encryption, Cyberattack, VMware, APT, Decryptor, Key Generation, Influence Campaign