DarkBit appears to be a "one and done" after they breached and extorted Technion – Israel Institute of Technology for 80 BTC, or roughly $1.75 million. Researchers claim other Israeli institutes were affected, but we have no evidence to back those claims. The ransomware operators didn't just extort Technion for money; they also left messages that led researchers to believe the group had other intentions. For example, on their Telegram channel, they left a statement blaming and shaming Israel for war crimes after the breach. They also left a somewhat different motive on Twitter, hinting at a disgruntled employee being the culprit. However, in combination, it could be that a disgruntled former employee helped Iranian-backed hacktivists breach the institute, but we make no assumptions.
The encryptor payload is unique in that it performs intermittent encryption on files. The encryption routine splits the files into chunks and encrypts some chunks using AES-256 while skipping over others. Researchers from CyberArk have created a decryption tool called White Phoenix to help tackle encryption routines such as these. The tool only works on specific file types, so it may not be a thorough solution to your problems if you somehow become affected by DarkBit. However, every little bit helps.
Aside from the encryption routine, the ransomware is human-operated (HumOR). This determination is based on the payload using a configuration file and command line arguments to differentiate each encryption routine uniquely. For example, the DarkBit payload that encrypted Technion's systems was configured for their network specifically, and, of course, as was the ransom note. During the encryption routine, the ransomware changes the encrypted file's names to an 18-character alphanumeric sequence and then changes the file extension to ".Darkbit".
| Industry Sector | Paese | Extortion Date | Amount (USD) |
|---|---|---|---|
| Education | Israel | 80 BTC($1,757,276) |