The incident illustrates both the evolving nature of cyber warfare and the technical expertise required to counter it.
On January 28, 2023, three drones struck an ammunition factory belonging to the Iranian Defence Ministry in Isfahan, with additional explosions reported at oil facilities in Tabriz, Karaj, and Azarshahr.
While Israel made no official comment, intelligence agencies attributed the attacks to Israeli operations against Iranian infrastructure.
Following these physical attacks, a large organization contacted the Profero Incident Response Team after discovering that employee endpoints and multiple ESXi servers had been encrypted by ransomware from a previously unknown group calling themselves “DarkBit.”
The attackers deployed a sophisticated tool named esxi.darkbit, specifically designed to encrypt virtual machine disk images on ESXi servers’ VMFS mounts.
The ransomware, developed in C++ and utilizing the Crypto++ cryptography library, required specific command-line parameters: ./esxi <path to vmfs> <seconds to sleep before encryption> <list of VMs to encrypt>.
The malware employed AES-128-CBC encryption with 16-byte keys, while the encryption keys themselves were protected using RSA-2048 public-key cryptography.
Analysis revealed that the tool employed a selective encryption strategy, encrypting files in chunks rather than entirely.
For files under 6.55MB, it encrypted 0x100000-byte chunks while skipping 0xa00000 bytes.
Larger files used 0x200000-byte chunks with skip sizes calculated as (FILESIZE / 0x32) – 0x200000.
Despite the ransomware’s apparent sophistication, Profero’s team identified critical implementation flaws.
The malware’s random number generator was seeded using predictable values: the current Unix timestamp, process PID, and two stack addresses.
This created a finite keyspace of approximately 2^39 possible values.
The breakthrough came when researchers realized they could exploit the known VMDK file header structure as a decryption anchor.
By attempting to decrypt only the first 16 bytes of encrypted files, they could quickly validate potential keys without processing entire files.
Additionally, the team discovered that many VMDK files are sparse – mostly empty space.
This allowed them to walk the internal file systems and recover unencrypted data directly, bypassing the need for full decryption in many cases.
The successful recovery highlights both the complexity of modern ransomware attacks and the importance of thorough technical analysis when dealing with encrypted data, proving that even nation-state-level cyber weapons can contain exploitable weaknesses.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post DarkBit Hackers Target VMware ESXi, Encrypt VMDK Files in Ransomware Blitz appeared first on Cyber Security News.
CountrySelect Pro is a lightweight vanilla JavaScript country selector that adds a searchable dropdown with…
Editium is a lightweight WYSIWYG editor that supports both React and Vanilla JavaScript with a…
A new open-source edge AI system called π RuView is turning ordinary WiFi infrastructure into…
SELMA, Ala. (AP) — Sixty-one years after state troopers attacked Civil Rights marchers on the…
A Janesville family is creating a scholarship foundation in memory of their son, 14-year-old Kase…
Spoilers follow for Star Trek: Starfleet Academy Episode 9, “300th Night,” which is available on…
This website uses cookies.