Dark Angels Ransomware: Sophistication & High Stakes Attacks

Dark Angels Ransomware: Sophistication & High Stakes Attacks
Table of Contents
    Add a header to begin generating the table of contents

    Overview

    The Dark Angels ransomware group is a sophisticated and stealthy cybercrime operation known for its targeted attacks on large organizations. Unlike many other ransomware groups, Dark Angels operates independently, eschewing the use of third-party affiliates or initial access brokers. This allows them to maintain a low profile and execute highly targeted attacks with precision.

    The group is infamous for its “big game hunting” approach, focusing on high-value targets in various industries, including healthcare, finance, and technology. To maximize their extortion potential, Dark Angels often employ double extortion tactics, threatening to leak stolen data if ransom demands are not met.

    The group has utilized multiple ransomware strains, including variants of Babuk and RagnarLocker, demonstrating their adaptability and technical prowess. Notably, Dark Angels was responsible for securing the largest known ransom payment in history, a staggering $75 million in 2024. While their exact origins remain uncertain, it is believed that the group operates from Russian-speaking regions. Their ability to maintain a low profile and execute highly effective attacks makes them a significant threat to organizations worldwide.

    Known Aliases

    Dark Angels, Dark Angels Team, White Rabbit, M A R I O ESXi.

    Country of Origin

    Russian-speaking regions. The exact location remains unconfirmed.

    Known High-Profile Victims of Dark Angels Ransomware

    • Johnson Controls (September 2023): Johnson Controls Ransomware attack on the automation and manufacturing company, targeted its VMware ESXi servers.
    • Undisclosed Victims: Zscaler report highlights the $75 million ransom payment in 2024—the largest ever recorded. The identity of the victim in this attack is not disclosed, but the substantial ransom amount indicates a significant target. The report also mentions numerous attacks targeting various industries including healthcare, technology, manufacturing, and telecommunications, although specific victim names are not provided.

    Common Methods of Infiltration Used by Dark Angels Ransomware

    • Phishing Emails: The Zscaler report identifies phishing emails as a vector for initial access.
    • Exploiting Publicly Exposed Vulnerabilities: The Zscaler report mentions the exploitation of vulnerabilities such as CVE-2023-22069.
    • Lateral Movement: Once inside a network, the group demonstrates proficiency in lateral movement, escalating privileges to gain domain administrator access.

    Malware/Ransomware Strains Used by Dark Angels

    • Babuk: The early Dark Angels attacks used ransomware payloads based on the leaked Babuk source code. SentinelOne confirms that the Windows payloads of Dark Angels Team are derived from leaked Babuk builders.
    • Read the Manual (RTM) Locker: Zscaler reports that in July 2023, Dark Angels was observed using a variant of RTM Locker (also based on Babuk) for Windows systems. This variant included modifications to the encryption algorithm.
    • RagnarLocker (variant): Dark Angels uses a variant of RagnarLocker for encrypting files on Linux/ESXi systems. SentinelOne confirms the use of a bespoke codebase akin to RagnarLocker for Linux/ESXi payloads, distinct from their Babuk-derived Windows payloads.

    Modus Operandi of Dark Angels Ransomware

    • Sophistication and Stealth: Dark Angels operations are marked by sophistication and stealth. They avoid outsourcing attacks, focusing on a limited number of large organizations for high-value ransom payments. They carefully choose whether to deploy ransomware based on the potential business disruption, often prioritizing data exfiltration and extortion.
    • Double Extortion: The group practices double extortion, demanding ransom for both decryption and the prevention of data leaks. They utilize Telegram channels and their own leak site (“Dunghill Leak”) to publicize stolen data.
    • Operational Structure: The group appears to operate independently, not relying on third-party initial access brokers, which contributes to their stealth and success.
    • Target Selection: The group targets large enterprises across various industries, aiming for maximum financial gain with minimal disruption to maintain a low profile.

    Related Posts