Encryption key for Darkbit ransomware
Good news for people affected by the DarkBit ransomware: experts from Profero have cracked the encryption process, allowing victims to recover their files for free without paying any ransom.
However, the company has not yet released the decryptor. The National Cyber Directorate from Israel connected the DarkBit ransomware operation to the Iran-nexus cybercriminal gang called “MuddyWater APT.”
How the attack started
After a DarkBit ransomware attack in 2023, Profero encrypted various VMware ESXi servers, which were believed as retaliation for Iranian drone attacks. The threat actors did not negotiate the ransom and emphasized disrupting operations and campaigns to damage the target’s reputation.
The gang posed as pro-Iran hackers and had a history of attacking Israeli agencies. In this incident, the gang asked for 80 Bitcoins and had anti-Israel messages in ransom notes. Profero, however, cracked the encryption, allowing free recovery.
How did the experts find out
While studying DarkBit ransomware, experts discovered that its AES-128-CBC key generation tactic gave weak and predictable keys. Profero used file timestamps and a known VMDK header to limit the keyspace to billions of probabilities, allowing effective brute-force.
“We mad
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: