Darkbit

Threat Actor updated 4 months ago (2024-05-04T20:31:15.416Z)

Download STIX

Preview STIX

DarkBit is a notable threat actor in the cybersecurity landscape, believed to be sponsored by the Iranian government. The group first gained significant attention following a ransomware and extortion attack on Technion, a leading research university in Israel, in February 2023. During this attack, another threat group, DEV-1084, assumed the DarkBit persona, likely to mask their involvement. Further analysis of DarkBit's activities was presented in a VB2023 paper titled "Darkbit decoded: analysis of an Iranian-sponsored attack," which provided an in-depth examination of the group's tactics, techniques, and procedures. The group's modus operandi involves leaving encrypted files with the extension DARKBIT and dropping a ransom note. Their operations have been linked to several malware tools, including Play, Qilin, BianLian, and BlackCat, which are known to partially encrypt files. In response to these threats, CyberArk released a novel ransomware decryptor named White Phoenix in May 2023. This tool enables partial recovery for files subjected to intermittent encryption as performed by the aforementioned ransomware operations. It's noteworthy that the White Phoenix ransomware decryptor has been tested against documents that BlackCat had encrypted, showing potential for it to work on files that other malware tools might only partially encrypt. Furthermore, DarkBit's activities are not limited to Iran or Israel. They have also been implicated in a global ransomware spree targeting unpatched VMWare servers. As such, understanding and mitigating the risks posed by DarkBit remains a priority in the cybersecurity sector.

Description last updated: 2024-05-04T16:43:13.512Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bitcoin

Ransomware

Ransom

Israel

Malware

Cybercrime

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the Darkbit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
CERT-EU	2 years ago	After apparent hack, data from Australian tech giant Atlassian dumped online
CERT-EU	a year ago	Toyota's bungling of customer privacy is becoming a pattern
CERT-EU	2 years ago	The cost of expected cybersecurity mandates: bigger energy bills for consumers
CSO Online	a year ago	Iranian APT group launches destructive attacks in hybrid Azure AD environments
CERT-EU	a year ago	Cryptojacking added to updated RapperBot DDoS botnet
CERT-EU	a year ago	Signs of MuddyWater Developments Found in the DNS
CERT-EU	a year ago	Newly identified APT group's motives in Ukraine baffle researchers
CERT-EU	2 years ago	Why the US needs the Bureau of Cyber Statistics right now
CERT-EU	a year ago	Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU	a year ago	Staten Island Hospital operating in network downtime amid ransomware attack
DARKReading	a year ago	Free Tool Unlocks Some Encrypted Data in Ransomware Attacks
CERT-EU	a year ago	Novel White Phoenix ransomware decryptor published
CERT-EU	2 years ago	'Pig butchering' scams on the rise, luring victims with promises of relationships and riches
CSO Online	a year ago	UK universities at high risk of cybersecurity incidents due to breached credentials
CERT-EU	2 years ago	Hackers Target Israel’s Technion Demanding Huge Sum In Bitcoin \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
CSO Online	2 years ago	Hackers attack Israel’s Technion university, demand over $1.7 million in ransom
BankInfoSecurity	2 years ago	Israel's Technion University Under Ransomware Attack
CERT-EU	2 years ago	New cybercrime group calling itself DarkBit attacks Israeli university
DARKReading	2 years ago	Israel's Top Tech University Targeted by DarkBit Ransomware