289/68 Wednesday, August 13, 2025
Typically, when a company or organization falls victim to a ransomware attack, data recovery requires paying a ransom to the attackers-yet even payment doesn’t guarantee data restoration. However, in this case, cybersecurity experts from Profero successfully broke the encryption used by the DarkBit hacker group, enabling victims to recover their files without paying a single cent.
The incident occurred in 2023, when Profero was called in to respond to a ransomware attack targeting one of their client organizations. The attack had encrypted a large number of VMware ESXi servers. Upon thorough investigation, it was discovered that the hacker group identifying themselves as “DarkBit” falsely claimed to be pro-Israeli activists. However, a deeper investigation by Israel’s National Cyber Directorate revealed that DarkBit is actually linked to the Iran-backed hacker group known as MuddyWater, which has a long history of cyber-espionage operations.
What stood out in this attack was that the threat actors were not focused on extortion, but rather on causing business disruption and reputational damage to the victim-an approach consistent with state-sponsored threat groups posing as activists. Leveraging their expertise, Profero’s team analyzed the DarkBit malware and identified a flaw in its encryption mechanism. This enabled them to develop a custom decryption tool. While Profero has not released the tool publicly, they announced their willingness to assist other victims of DarkBit ransomware upon request..
