Darkbit

Threat Actor updated 9 months ago (2024-11-29T14:41:02.894Z)

Download STIX

Preview STIX

DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, another threat group, DEV-1084, assumed the DarkBit persona, likely to mask their involvement. Further analysis of DarkBit's activities was presented in a VB2023 paper titled "Darkbit decoded: analysis of an Iranian-sponsored attack," which provided an in-depth examination of the group's tactics, techniques, and procedures. The group's modus operandi involves leaving encrypted files with the extension DARKBIT and dropping a ransom note. Their operations have been linked to several malware tools, including Play, Qilin, BianLian, and BlackCat, which are known to partially encrypt files. In response to these threats, CyberArk released a novel ransomware decryptor named White Phoenix in May 2023. This tool enables partial recovery for files subjected to intermittent encryption as performed by the aforementioned ransomware operations. It's noteworthy that the White Phoenix ransomware decryptor has been tested against documents that BlackCat had encrypted, showing potential for it to work on files that other malware tools might only partially encrypt. Furthermore, DarkBit's activities are not limited to Iran or Israel. They have also been implicated in a global ransomware spree targeting unpatched VMWare servers. As such, understanding and mitigating the risks posed by DarkBit remains a priority in the cybersecurity sector.

Description last updated: 2024-05-04T16:43:13.512Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransom

Ransomware

Bitcoin

Encryption

Israel

Apt

Malware

Extortion

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Darkbit. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	2
The MuddyWater Threat Actor is associated with Darkbit. MuddyWater is an Advanced Persistent Threat (APT) actor that first surfaced in 2017, primarily targeting countries in the Middle East, Europe, and the USA. The group uses a range of techniques for its cyber-espionage activities, including PowerShell for execution, HTTP for C2 communications, and mal	Unspecified	2

Source Document References

Information about the Darkbit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	15 days ago	Security Affairs newsletter Round 537 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	19 days ago	Researchers cracked the encryption used by DarkBit ransomware
CERT-EU	2 years ago	Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
CERT-EU	3 years ago	After apparent hack, data from Australian tech giant Atlassian dumped online
CERT-EU	2 years ago	Toyota's bungling of customer privacy is becoming a pattern
CERT-EU	3 years ago	The cost of expected cybersecurity mandates: bigger energy bills for consumers
CSO Online	2 years ago	Iranian APT group launches destructive attacks in hybrid Azure AD environments
CERT-EU	2 years ago	Cryptojacking added to updated RapperBot DDoS botnet
CERT-EU	2 years ago	Signs of MuddyWater Developments Found in the DNS
CERT-EU	2 years ago	Newly identified APT group's motives in Ukraine baffle researchers
CERT-EU	3 years ago	Why the US needs the Bureau of Cyber Statistics right now
CERT-EU	2 years ago	Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU	2 years ago	Staten Island Hospital operating in network downtime amid ransomware attack
DARKReading	2 years ago	Free Tool Unlocks Some Encrypted Data in Ransomware Attacks
CERT-EU	2 years ago	Novel White Phoenix ransomware decryptor published
CERT-EU	3 years ago	'Pig butchering' scams on the rise, luring victims with promises of relationships and riches
CSO Online	2 years ago	UK universities at high risk of cybersecurity incidents due to breached credentials
CERT-EU	3 years ago	Hackers Target Israel’s Technion Demanding Huge Sum In Bitcoin \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
CSO Online	3 years ago	Hackers attack Israel’s Technion university, demand over $1.7 million in ransom
BankInfoSecurity	3 years ago	Israel's Technion University Under Ransomware Attack