DarkBit Hackers Attacking VMware ESXi Servers to Deploy Ransomware and Encrypts VMDK Files

A newly discovered ransomware campaign has targeted enterprise VMware ESXi environments with military precision, deploying custom-built encryption tools that specifically hunt for virtual machine disk files across VMFS datastores. 

Security researchers have successfully reverse-engineered the attack methodology and developed breakthrough decryption techniques, revealing critical vulnerabilities in the threat actors’ cryptographic implementation that enabled complete data recovery without ransom payment.

Sponsored

 class="wp-block-preformatted">Key Takeaways
1. DarkBit ransomware targets VMware ESXi servers.
2. Uses AES-128-CBC encryption with RSA-2048 keys.
3. Researchers broke encryption without ransom payment.

DarkBit Ransomware Attacks

Profero Incident Response Team reports that the DarkBit cybercriminal group launched a coordinated attack against VMware ESXi servers, deploying a sophisticated C++-based ransomware tool specifically designed to encrypt virtual machine disk images. 

The malware, identified as esxi.darkbit (SHA256: 0bb1d29ede51d86373e31485d0e24701558e50856722357372518edfb98265a1), systematically targeted VMFS datastores across enterprise environments.

The attackers utilized esxcli commands to ensure all virtual machines were stopped before beginning the encryption process. 

The ransomware then forked multiple processes to encrypt files concurrently, specifically targeting extensions including .vmdk, .vmx, .nvram, and other VMware-specific file formats. 

Each encrypted file received the .DARKBIT extension, rendering critical business systems inoperable.

Security researchers discovered the malware implements AES-128-CBC encryption using the widely-deployed Crypto++ cryptography library. 

The ransomware generates unique AES keys and initialization vectors (IV) for each file, with the symmetric keys subsequently encrypted using a hardcoded RSA-2048 public key embedded within the binary.

The malware’s execution requires specific command-line parameters: ./esxi <path to vmfs> <seconds to sleep before encryption> <list of VMs to encrypt>. 

During analysis, researchers found the encryption process deliberately skips portions of larger files—encrypting 0x100000-byte chunks while skipping 0xa00000 bytes for files under 6.55MB, and using calculated skip sizes for larger files based on (FILESIZE / 0x32) – 0x200000.

Critical vulnerabilities emerged in the random number generator implementation, which seeds using the current timestamp, process PID, and two stack addresses, creating a finite keyspace of approximately 2^39 possible values.

Decryption Via Cryptographic Analysis

Incident response teams successfully exploited weaknesses in the ransomware’s cryptographic implementation to recover encrypted data without paying ransom demands. 

Researchers leveraged the known VMDK file header structure to perform targeted brute-force attacks against the AES keys, utilizing high-performance computing resources to systematically test key combinations.

The breakthrough came through recognizing that VMDK files contain predictable magic bytes in their headers, enabling a cryptanalysis attack against the AES-128-CBC first block when approximately 50 bits of plaintext were known. 

Additionally, investigators discovered that many critical files remained accessible by walking the internal VMDK filesystems, as the sparse nature of virtual disk files left substantial data unencrypted.

The successful recovery highlighted fundamental implementation flaws in the DarkBit ransomware, demonstrating that sophisticated encryption algorithms become vulnerable when improperly implemented with weak random number generation and predictable seed values.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial

The post DarkBit Hackers Attacking VMware ESXi Servers to Deploy Ransomware and Encrypts VMDK Files appeared first on Cyber Security News.