Ransomware cyber

Profero's client

Aug 11, 2025 1 min read
Profero's client

The company experienced a ransomware attack by the DarkBit gang, which encrypted multiple VMware ESXi servers. The attackers, linked to the Iranian state-sponsored APT group MuddyWater, did not engage in ransom negotiations but aimed to cause operational disruption and reputational damage. Profero successfully decrypted the files by exploiting weaknesses in DarkBit's encryption, recovering significant data without paying the ransom. The attack was politically motivated, likely in retaliation for drone strikes in Iran.

Source: https://www.bleepingcomputer.com/news/security/muddywaters-darkbit-ransomware-cracked-for-free-data-recovery/

TPRM report: https://www.rankiteo.com/company/proferosec

"id": "pro223081225",
"linkid": "proferosec",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'Ransomware',
 'data_breach': {'data_encryption': 'AES-128-CBC with RSA-2048',
                 'file_types_exposed': 'VMDK files'},
 'date_detected': '2023',
 'description': 'Cybersecurity firm Profero cracked the encryption of the '
                "DarkBit ransomware gang's encryptors, allowing them to "
                "recover a victim's files for free without paying a ransom. "
                'The attack targeted VMware ESXi servers and was linked to '
                'Iranian state-sponsored APT group MuddyWater.',
 'impact': {'brand_reputation_impact': 'Reputational damage',
            'operational_impact': 'Operational disruption',
            'systems_affected': 'VMware ESXi servers'},
 'investigation_status': 'Resolved',
 'lessons_learned': "DarkBit's objectives would have been better served with a "
                    'data wiper rather than ransomware.',
 'motivation': 'Retaliation for 2023 drone strikes in Iran, operational '
               'disruption, reputational damage',
 'post_incident_analysis': {'corrective_actions': 'Development of a tool to '
                                                  'brute-force decryption '
                                                  'keys, extraction of data '
                                                  'from sparse VMDK files',
                            'root_causes': 'Low entropy key generation in '
                                           'DarkBit ransomware'},
 'ransomware': {'data_encryption': 'AES-128-CBC with RSA-2048',
                'ransom_demanded': '80 Bitcoin',
                'ransom_paid': 'None',
                'ransomware_strain': 'DarkBit'},
 'references': [{'source': 'BleepingComputer'}],
 'response': {'incident_response_plan_activated': True,
              'recovery_measures': 'Brute-forcing decryption keys, extracting '
                                   'data from sparse VMDK files',
              'remediation_measures': 'Decryption of files, recovery of data '
                                      'from VMDK files',
              'third_party_assistance': 'Profero'},
 'threat_actor': 'DarkBit (linked to MuddyWater, Iranian state-sponsored APT '
                 'group)',
 'title': 'DarkBit Ransomware Attack on VMware ESXi Servers',
 'type': 'Ransomware Attack'}
Published by
Jeremy C
Jeremy C
You might also like
Ransomware cyber

VMware

public 4 min read
The article highlights escalating ransomware threats targeting **VMware’s ESXi hypervisor systems**, which serve as centralized infrastructure for virtualized environments.…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.