A newly discovered ransomware campaign has targeted enterprise VMware ESXi<\/a> environments with military precision, deploying custom-built encryption tools that specifically hunt for virtual machine disk files across VMFS datastores.\u00a0<\/p>\n Security researchers have successfully reverse-engineered the attack methodology and developed breakthrough decryption techniques, revealing critical vulnerabilities in the threat actors\u2019 cryptographic implementation that enabled complete data recovery without ransom payment.<\/p>\n Profero Incident Response Team reports<\/a> that the DarkBit cybercriminal group launched a coordinated attack against VMware ESXi servers, deploying a sophisticated C++-based ransomware tool specifically designed to encrypt virtual machine disk images.\u00a0<\/p>\n The malware, identified as esxi.darkbit (SHA256: 0bb1d29ede51d86373e31485d0e24701558e50856722357372518edfb98265a1), systematically targeted VMFS datastores across enterprise environments.<\/p>\n The attackers utilized esxcli commands to ensure all virtual machines were stopped before beginning the encryption process.\u00a0<\/p>\n The ransomware then forked multiple processes to encrypt files concurrently, specifically targeting extensions including .vmdk, .vmx, .nvram, and other VMware-specific file formats.\u00a0<\/p>\n Each encrypted file received the .DARKBIT extension, rendering critical business systems inoperable.<\/p>\n Security researchers discovered the malware implements AES-128-CBC encryption using the widely-deployed Crypto++ cryptography library.\u00a0<\/p>\n The ransomware generates unique AES keys and initialization vectors (IV) for each file, with the symmetric keys subsequently encrypted using a hardcoded RSA-2048 public key embedded within the binary.<\/p>\n The malware\u2019s execution requires specific command-line parameters: .\/esxi <path to vmfs> <seconds to sleep before encryption> <list of VMs to encrypt>.\u00a0<\/p>\n During analysis, researchers found the encryption process deliberately skips portions of larger files\u2014encrypting 0x100000-byte chunks while skipping 0xa00000 bytes for files under 6.55MB, and using calculated skip sizes for larger files based on (FILESIZE \/ 0x32) \u2013 0x200000.<\/p>\n Critical vulnerabilities emerged in the random number generator implementation, which seeds using the current timestamp, process PID, and two stack addresses, creating a finite keyspace of approximately 2^39 possible values.<\/p>\n Incident response<\/a> teams successfully exploited weaknesses in the ransomware\u2019s cryptographic implementation to recover encrypted data without paying ransom demands.\u00a0<\/p>\n Researchers leveraged the known VMDK file header structure to perform targeted brute-force attacks against the AES keys, utilizing high-performance computing resources to systematically test key combinations.<\/p>\n The breakthrough came through recognizing that VMDK files contain predictable magic bytes in their headers, enabling a cryptanalysis attack against the AES-128-CBC first block when approximately 50 bits of plaintext were known.\u00a0<\/p>\n Additionally, investigators discovered that many critical files remained accessible by walking the internal VMDK filesystems, as the sparse nature of virtual disk files left substantial data unencrypted.<\/p>\n The successful recovery highlighted fundamental implementation flaws in the DarkBit ransomware<\/a>, demonstrating that sophisticated encryption algorithms become vulnerable when improperly implemented with weak random number generation and predictable seed values.<\/p>\n Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup<\/strong> that can Improve incident response -> Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post DarkBit Hackers Attacking VMware ESXi Servers to Deploy Ransomware and Encrypt VMDK Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. DarkBit ransomware targets VMware ESXi servers.
2. Uses AES-128-CBC encryption with RSA-2048 keys.
3. Researchers broke encryption without ransom payment.<\/pre>\nDarkBit Ransomware Attacks<\/strong><\/h2>\n
Decryption Via Cryptographic Analysis<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXflpwmVsF1JORcs-oxEQw8HfBqxeTXvTPj9luN0JgaZcEQCcZx3D0hlS2K78VqvNPYgcmk0EIYT-XX5nLALixOgiQ9oQRPUOfLNh8eWDMM9KqUgrsMf_Nyy4ciXhVBKrofRItew?key=evdVKKK3wcTzO56zh5Gw5Q\")
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcUOjdwv6aqlwOi586arkPxJiglCSWm3imMaOtTduUqXXib3HyXTmi6OQ89k-11V_FtTrm_85nw48sMQScNnio41oTdreRjux1IU0Ey-YEADoL-RVvPY_2Uq2vl_nw3XqK08_tN?key=evdVKKK3wcTzO56zh5Gw5Q\")