The incident illustrates both the evolving nature of cyber warfare and the technical expertise required to counter it.
On January 28, 2023, three drones struck an ammunition factory belonging to the Iranian Defence Ministry in Isfahan, with additional explosions reported at oil facilities in Tabriz, Karaj, and Azarshahr.
While Israel made no official comment, intelligence agencies attributed the attacks to Israeli operations against Iranian infrastructure.
Following these physical attacks, a large organization contacted the Profero Incident Response Team after discovering that employee endpoints and multiple ESXi servers had been encrypted by ransomware from a previously unknown group calling themselves “DarkBit.”
The attackers deployed a sophisticated tool named esxi.darkbit, specifically designed to encrypt virtual machine disk images on ESXi servers’ VMFS mounts.
The ransomware, developed in C++ and utilizing the Crypto++ cryptography library, required specific command-line parameters: ./esxi <path to vmfs> <seconds to sleep before encryption> <list of VMs to encrypt>.
The malware employed AES-128-CBC encryption with 16-byte keys, while the encryption keys themselves were protected using RSA-2048 public-key cryptography.
Analysis revealed that the tool employed a selective encryption strategy, encrypting files in chunks rather than entirely.
For files under 6.55MB, it encrypted 0x100000-byte chunks while skipping 0xa00000 bytes.
Larger files used 0x200000-byte chunks with skip sizes calculated as (FILESIZE / 0x32) – 0x200000.
Despite the ransomware’s apparent sophistication, Profero’s team identified critical implementation flaws.
The malware’s random number generator was seeded using predictable values: the current Unix timestamp, process PID, and two stack addresses.
This created a finite keyspace of approximately 2^39 possible values.
The breakthrough came when researchers realized they could exploit the known VMDK file header structure as a decryption anchor.
By attempting to decrypt only the first 16 bytes of encrypted files, they could quickly validate potential keys without processing entire files.
Additionally, the team discovered that many VMDK files are sparse – mostly empty space.
This allowed them to walk the internal file systems and recover unencrypted data directly, bypassing the need for full decryption in many cases.
The successful recovery highlights both the complexity of modern ransomware attacks and the importance of thorough technical analysis when dealing with encrypted data, proving that even nation-state-level cyber weapons can contain exploitable weaknesses.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post DarkBit Hackers Target VMware ESXi, Encrypt VMDK Files in Ransomware Blitz appeared first on Cyber Security News.
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Seth MacFarlane said he is willing to make Ted Season 3 or even another movie,…
Seth MacFarlane said he is willing to make Ted Season 3 or even another movie,…
Michael made a huge $217 million at the global box office, enough to secure the…
This website uses cookies.