In a rare victory against cyber extortion, security researchers have managed to break the encryption used by DarkBit ransomware, offering victims a chance to regain access to their files at no cost. The malicious campaign, attributed to the Iranian state-sponsored group MuddyWater, had been targeting VMware ESXi servers, crippling operations for businesses and institutions alike.
Ransomware attacks often leave victims with a grim choice, pay large sums to criminals or lose valuable data forever. However, in this case, Profero’s cybersecurity team discovered and exploited flaws in DarkBit’s encryption process. This breakthrough means that those hit by the ransomware can now restore data without funding the attackers.
How the Campaign Began
In 2023, DarkBit operators launched attacks against virtualized environments, encrypting critical virtual machine files. The ransomware relied on AES-128-CBC encryption with unique keys for each file, later locked with RSA-2048. On the surface, this looked like a strong encryption setup, but Profero’s investigation uncovered significant weaknesses.
Why the Encryption Failed
The ransomware’s key generation method lacked proper randomness, making the keys easier to guess. By using file creation timestamps, researchers narrowed the number of possible keys to a manageable range.
VMware VMDK files also gave defenders an advantage. Their predictable headers made it easier to identify when the right key had been found, speeding up the decryption process.
Recovering Data Through Sparse Files
Profero’s team also took advantage of the sparse layout of many VMDK files. Since large portions contained no data, they could extract undamaged file segments without decrypting the full content. This method allowed organizations to recover functional virtual machines more quickly.
Why the Tool Isn’t Public
To prevent abuse, Profero will not release the decryption tool. Instead, they are offering private assistance to any future DarkBit victims. Organizations can reach out directly to initiate the recovery process.
Final Thoughts
The fact that DarkBit ransomware cracked is an important reminder that even advanced-looking ransomware can have fatal flaws. Profero’s work provides real hope for victims and proves that technical skill can level the playing field. Still, relying on encryption weaknesses is not a strategy. Strong security measures, regular backups, and fast incident response remain the most reliable defenses against ransomware attacks.
