Uncovering The Dark Side of DarkBit Ransomware

Politically-motivated cyberattacks carried out against Israel

One of the largest universities in Israel was recently targeted by a new ransomware called “DarkBit”, and the Threat Actor (TAs) identity behind the attack is still being investigated. While it’s uncertain whether the perpetrator is a disgruntled employee, pro-Palestinian activist, or a combination of both, the ransom note and social media accounts of the DarkBit group may offer some clues about their motives.

The figure below shows the Twitter handle of the DarkBit Group.

Figure 1 – DarkBit’s Twitter Account

According to the Twitter handle’s bio, the TAs behind the DarkBit ransomware attack are against any kind of racism, fascism, and apartheid and promote the hashtag “#HackForGood.”

The below image shows the tweet made by the threat actor, suggesting that the DarkBit ransomware attack may have been carried out by a former employee who was unhappy about their termination. It’s important to note that this is only speculation, and the true motives of the TAs are still unknown.

Figure 2 – DarkBit’s Tweet

Ransom notes left by TAs in ransomware attacks can provide important insights into the motivations and intentions of the attackers. In the case of the DarkBit group, their ransom note appears to be politically motivated, containing accusations of an apartheid regime, war crimes, and unjust termination of skilled employees.

Cyble Research and Intelligence Labs (CRIL) recently detected a sample of the DarkBit ransomware, and this analysis will delve into its technical details.

 Technical Analysis

The DarkBit Ransomware targets Windows operating systems and is compiled as a Go binary (Sha256: 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff).

Figure 3 – Static information of file

Upon execution, the malware creates a Global mutex named “Global\\dbdbdbdb” to ensure one instance of malware is running at a time. The below figure shows the registry values when the CreateMutexW() API is being called.

Figure 4 – Mutex creation

The Ransomware then calls the GetLogicalDrives() API to identify all mounted drives and the GetDriveType() API to determine the drive type of each drive on the victim’s machine before initiating its encryption process.

Following that, the ransomware calls the CreateProcessW() API to execute vssadmin.exe and delete shadow copies on the victim’s machine, as shown below

Figure 5 – Deletion of shadow copies using vssadmin.exe

Now, ransomware employs multithreading for its encryption process, using several APIs such as NtDeviceIoControlFile(), GetQueuedCompletionStatusEx(), PostQueuedCompletionStatus(), and ResumeThread().

The image below depicts the multithreading process, where the ransomware uses two worker threads to encrypt files on the victim’s machine.

Figure 6 – Multithreading  

After employing multithreading for the encryption process, the ransomware then enumerates files in the identified drives. DarkBit Ransomware utilizes hardcoded configuration files in the ransomware binary that contain information about file extensions, file names, and directory names to be excluded from the encryption process. It also defines the procedure for encrypting larger files on the victim’s machine.

The ransomware excludes specific file extensions from the encryption process mentioned in the figure below.

Figure 7 – Excluded file extensions.

The ransomware also excludes specific filenames and directories from the encryption process. The value “1” next to each name indicates that these files and directories will not be encrypted when the ransomware runs.

Figure 8 – Excluded file and Directory names.

After eliminating the above list of files and folders, the ransomware will divide larger files into segments as per the size limit given in the configuration file. The highlighted configuration from the below figure says the maximum file size limit of 1000 megabytes (“limitMB”: 1000), which will segment files into two parts (“parts”: 2), and these two parts will have a maximum size of 12000 bytes (“eachPart”: 12000).

This means that files between 25 MB and 1000 MB will be divided into two segments, each of which is no larger than 12000 bytes. The ransomware will encrypt each of these smaller segments individually rather than encrypting the entire file at once.

Figure 9 – Size Limit Configuration

The ransomware now drops a ransom note named “RECOVERY_DARKBIT.txt” and proceeds to encrypt files on the victim’s machine, appending the “.Darkbit” extension to the encrypted files as shown below.

Figure 10 – Ransom Note and Encrypted files

In addition to encrypting files, the ransomware includes a marker “DARKBIT_ENCRYPTED_FILES” and encryption details, such as the encryption key, etc., at the end of the encrypted file.

Figure 11 – Marker added at the end of the encrypted file

The below figure shows the ransom note created by the ransomware.

Figure 12 – DarkBit Ransom note

In the ransom note dropped by DarkBit, victims are given instructions on how they cancontact the TAs via TOX messenger to recover the encrypted files personally. The ransom note also referred to a TOR website where victims can use their ID for communication with the attackers and attempt to recover their data.

Figure 13 – DarkBit’s Tor Website

The group has made it abundantly clear that they will levy an additional 30% penalty on the already sizeable ransom demand if the victim refuses to comply with their demands.

Furthermore, the attackers have explicitly stated their intention to sell any data that they have stolen after a period of five days if the ransom is not paid.

Figure 14 – DarkBit’s Support Page


Politically motivated ransomware attacks continue to pose a serious threat to governmental security and stability, business operations, and individual security. These attacks are primarily driven by political motives that intend to cause harm, disrupt operations, and cause financial losses.

In this case, we observed that DarkBit ransomware attacked one of the largest universities in Israel. DarkBit’s ransom note and social media accounts suggest that they are politically-motivated hacktivists working against institutional racism, war crimes, etc.

This attack serves as a reminder of the ongoing threat of ransomware attacks and the need for individuals and organizations to take proactive measures to protect their systems and data from such attacks.  

Our Recommendations

The following essential cybersecurity best practices create the first line of control against attackers. We recommend that our readers follow the best practices as given below:

  • Monitor incoming emails from suspicious and potentially malicious domains.
  • Back-up data on different locations and implement Business Continuity Planning (BCP). Keeping the Backup Servers isolated from the infrastructure helps fast data recovery.
  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
  • Enforcement of VPN to safeguard endpoints.
  • Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
  • Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204User Execution  
Data encrypted for impact
Inhibit System Recovery
System Information Discovery
File and Directory Discovery  

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ffSHA256DarkBit Executable

Comments are closed.

Scroll to Top