A major breakthrough in the fight against state-linked cyberattacks occurred when cybersecurity firm Profero successfully cracked the encryption used by the DarkBit ransomware group, enabling them to recover a victim’s data without paying any ransom. The incident took place in 2023 during an investigation into a ransomware attack that had locked multiple VMware ESXi servers belonging to one of Profero’s clients.
The attack bore the hallmarks of a politically motivated campaign rather than a typical financially driven ransomware operation. The timing coincided with the 2023 drone strikes in Iran that targeted an ammunition factory under the Iranian Defence Ministry. Threat actors claiming to be from DarkBit included anti-Israel statements in their ransom notes and demanded 80 Bitcoin.
Israel’s National Cyber Command has linked DarkBit’s activities to MuddyWater, a state-sponsored Iranian APT group known for cyberespionage operations. Past DarkBit campaigns targeted educational institutions in Israel, posing as pro-Iranian hacktivists. In this case, however, the attackers showed no interest in ransom negotiations. Instead, they appeared focused on operational disruption and reputational damage, running an influence campaign designed to maximize the victim’s public embarrassment—a strategy more aligned with nation-state actors.
At the time, no public decryptor existed for DarkBit. Profero researchers began dissecting the malware in search of weaknesses. DarkBit’s encryption system generated a unique AES-128-CBC key and Initialization Vector (IV) for each file at runtime, then encrypted them with RSA-2048 and appended them to the locked file. However, the team discovered that DarkBit’s key generation process had low entropy. By combining this weakness with the encryption timestamp—deduced from file modification times—they reduced the possible keyspace to only a few billion combinations.
Another advantage came from the fact that VMware ESXi Virtual Machine Disk (VMDK) files have known header bytes. This allowed researchers to brute force only the first 16 bytes to verify a match instead of processing the full file. Using these combined techniques, Profero successfully decrypted the affected data, giving the victim full access without any ransom payment.
This case highlights how a flaw in ransomware design can completely undermine an attack, even when carried out by advanced, state-linked threat actors.
