A significant breakthrough in cybersecurity has been announced, as researchers at the firm Profero have successfully cracked the encryption used by the DarkBit ransomware group. This development could offer a lifeline to victims of attacks attributed to the group, which has been linked to politically motivated intrusions, most notably a high-profile attack on a research university in Israel in 2023.
The DarkBit ransomware, known for its use in attacks targeting VMware ESXi servers, employed a complex encryption scheme involving AES-128-CBC with a unique key and a runtime-generated initialization vector (IV) protected by RSA-2048 encryption. This method had previously made it difficult for victims to recover their data without paying the ransom.
However, a detailed technical analysis by Profero uncovered a critical weakness. According to their findings, the ransomware’s key generation technique had a surprisingly low level of entropy, meaning the possible range of keys was much smaller than initially assumed. This flaw, combined with the fact that DarkBit’s encryption of large files was intermittent and timestamp-dependent, allowed the researchers to devise a new approach.
Instead of needing to brute-force a massive cryptographic keyspace, the researchers realized they could target a limited portion of the encrypted files. By focusing on the first 16 bytes of Virtual Machine Disk (VMDK) files on ESXi servers, they were able to walk the file system and recover a significant amount of data without a full decryption key. In a statement, a spokesperson for Profero noted, “Most of the files we needed could simply be recovered without decryption.”
While the firm has developed a tool to assist victims, they have stated that they will not be releasing it publicly to prevent potential misuse. Instead, Profero has expressed its willingness to work directly with affected organizations to help them recover their data. This news offers a glimmer of hope for victims who had previously considered their data lost or were faced with the difficult decision of paying a ransom to a group with geopolitical motivations. This development highlights the ongoing cat-and-mouse game between cybercriminals and security professionals and underscores the importance of continuous research in combating evolving cyber threats.
