Skip to content
Ransomware group

DarkBit

DarkBit is a ransomware persona/group launched in 2023 that has been used in destructive cyber operations rather than conventional financially motivated ransomware activity.

Profile source: Mallory opens in a new tab

DarkBit

Family profile

DarkBit is a ransomware persona/group launched in 2023 that has been used in destructive cyber operations rather than conventional financially motivated ransomware activity. Multiple sources in the provided content link DarkBit to Iranian state-sponsored activity, specifically DEV-1084/Storm-1084 and MOIS-linked actors, with collaboration or association noted with MERCURY, now tracked as Mango Sandstorm/MuddyWater. The DarkBit persona was used in the February 2023 attack on the Technion Israel Institute of Technology in Israel, which Microsoft and other reporting described as a destructive operation masquerading as ransomware. Supporting content also states that DarkBit is believed to be associated with the MuddyWater Iranian espionage group and is cited as an example of Iran using fronts/personas to claim responsibility for disruptive attacks. Reported capabilities and characteristics in the content include ransomware-style encryption, but researchers and Israeli security firm Profero developed/deployed decryptors after identifying a weak key generation algorithm that allowed brute-forcing of the decryption key. High-confidence targeting reflected in the content includes Israeli organizations, specifically Technion, within the broader context of Iranian operations against regional adversaries and critical or strategic sectors. No additional specific IOCs are provided in the supplied content.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

2 named in public reporting
MuddyWater

...it has also been linked to disruptive operations targeting the Technion Israel Institute of Technology by adopting the DarkBit ransomware persona.

Reporting

Research mentioning DarkBit

Mar 21
The Hacker News

CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026

...it has also been linked to disruptive operations targeting the Technion Israel Institute of Technology by adopting the DarkBit ransomware persona.

Aug 17
Securityaffairs

Security Affairs newsletter Round 537 by Pierluigi Paganini – INTERNATIONAL EDITION

Researchers cracked the encryption used by DarkBit ransomware

Aug 13
Risky Biz Rss

Risky Bulletin: Crypto-thieves turn their sights to Open VSX

Israeli security firm Profero has developed a decryptor for the DarkBit ransomware. The decrypter exploits a weak key generation algorithm used by the DarkBit group to brute-force the decryption key. The DarkBit group launched in 2023 and is believed to be associated with the MuddyWater Iranian espionage group.

Dec 6
Web Archive

How Microsoft names threat actors - Microsoft Defender XDR | Microsoft Learn

Storm-1084 Iran DarkBit

Nov 2
Bushidotoken

Top 10 Cyber Threats of 2023

In February 2023, it was reported that the Technion Israel Institute of Technology, one of Israel's leading research universities was struck by DarkBit ransomware. In April 2023, Microsoft disclosed details about the suspected Iranian state-sponsored DarkBit destructive attack. The adversary responsible is tracked as DEV-1084, which partnered with another Iranian APT actor named MERCURY (now tracked as Mango Sandstorm or MuddyWater).

Oct 15
Curated Intelligence

Tracking Cyber Activity Surrounding War In Israel

"COBALT AZTEC, an Iranian state-sponsored threat group that operates and distributes DarkBit ransomware in destructive cyber attacks."

Jun 5
Sekoia

Iran Cyber Threat Overview

The DarkBit personna is another example. In February 2023, MuddyWater conducted an operation targeting Technion Israel Institute of Technology based in Haifa, with a false ransomware operation masquerading a destructive operation, using a front named “DarkBit group”.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.