Ransomware - DarkBit

DarkBit
Decryptor Available
Yes
Description

DarkBit appears to be a "one and done" after they breached and extorted Technion – Israel Institute of Technology for 80 BTC, or roughly $1.75 million. Researchers claim other Israeli institutes were affected, but we have no evidence to back those claims. The ransomware operators didn't just extort Technion for money; they also left messages that led researchers to believe the group had other intentions. For example, on their Telegram channel, they left a statement blaming and shaming Israel for war crimes after the breach. They also left a somewhat different motive on Twitter, hinting at a disgruntled employee being the culprit. However, in combination, it could be that a disgruntled former employee helped Iranian-backed hacktivists breach the institute, but we make no assumptions.

The encryptor payload is unique in that it performs intermittent encryption on files. The encryption routine splits the files into chunks and encrypts some chunks using AES-256 while skipping over others. Researchers from CyberArk have created a decryption tool called White Phoenix to help tackle encryption routines such as these. The tool only works on specific file types, so it may not be a thorough solution to your problems if you somehow become affected by DarkBit. However, every little bit helps.

Aside from the encryption routine, the ransomware is human-operated (HumOR). This determination is based on the payload using a configuration file and command line arguments to differentiate each encryption routine uniquely. For example, the DarkBit payload that encrypted Technion's systems was configured for their network specifically, and, of course, as was the ransom note. During the encryption routine, the ransomware changes the encrypted file's names to an 18-character alphanumeric sequence and then changes the file extension to ".Darkbit".

Ransomware Type
Crypto-Ransomware
HumOR
Country of Origin
Iran
First Seen
Last Seen
Threat Actors
Media type
Actor
APT
MuddyWater
Affiliate
Storm-1084
Extortion Types
Blackmail
Direct Extortion
Double Extortion
Extortion Price Increases
Extortion Amounts
Amount
80BTC($1,757,276)
Communication
Medio
Identificador
Tox
Encryption
Type
Symmetric
Files
AES-256
File Extension
<18 Random Alphanumeric Characters>.Darkbit
Ransom Note Name
RECOVERY_DARKBIT.txt
Ransom Note Image
Samples (SHA-256)
503360fcb8c42a8e1256fa2e5744f1291e50312e14d63998c33963b40f72b059
9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff
Known Victims
Industry Sector País Extortion Date Amount (USD)
EducationIsrael 80 BTC($1,757,276)