
Who Are Dark Angels?
Who Are Dark Angels?
The Dark Angels group first surfaced in May 2022, operating through the Dunghill data leak platform. Initially thought to be a rebirth of the Babuk family, cybersecurity experts linked Dark Angels to Babuk after Babuk’s source code was exposed. Dark Angels took advantage of this to create their own ransomware versions and became well-known players in the ransomware scene quite quickly.

Image: A photo of Babuk’s ransomware source code being leaked
Dark Angels concentrate their efforts on sectors like healthcare, government, finance, and education, but they have recently broadened their scope to include significant industrial, technology, and telecommunication entities.
Unlike groups that depend on affiliate networks for initial access, Dark Angels operate independently, carefully choosing their targets to ensure significant returns on their efforts.
Dark Angels Noteworthy Attacks
Dark Angels Noteworthy Attacks
One of the standout incidents involving Dark Angels occurred in September 2023 when they targeted Johnson Controls, a company specializing in automation and manufacturing. The group used their ransomware to lock the company’s VMware ESXi servers and demanded a $51 million ransom after absconding with 27 terabytes of corporate data.

Image: A photo of Chainalysis mentioning the $75 million payment
Another noteworthy attack happened in 2024 when a Fortune 50 company paid a $75 million ransom. Although the identity of the company remains undisclosed, this event highlights the group’s knack for securing substantial ransom amounts from their victims. The attack involved stealing large quantities of data and threatening to expose it unless the ransom was paid—a strategy commonly referred to as double extortion.
Dark Angels’ Technical Aspects
Dark Angels’ Technical Aspects
Dark Angels employ a whole range of different methods to infiltrate and compromise their targets. Their Windows-based ransomware payloads, used from the Babuk source code, are engineered to impede system recovery while terminating processes that could disrupt the encryption process.
On Linux/ESXi platforms, Dark Angels utilize 64-bit ELF binaries created for Intel-based Linux systems. These binaries are responsible for tracking the encryption progress in a predetermined log file and employ AES encryption with a 256-bit key for file encryption.
The ransomware is flexible, accepting parameters to change its operations. For example, the Linux variant allows users to define the number of encryption threads running simultaneously, activate logging, and designate a log file name for tracking progress.

Image: A picture of the Dunghill data leak platform
On Windows systems, the ransomware can leverage arguments to enable network discovery and enumeration, facilitating its spread to neighboring hosts. While this feature elongates the encryption process within a network, it proves efficient.
In addition to its technical capabilities, Dark Angels adopt an approach known as “Big Game Hunting,” focusing on high-value targets rather than widespread attacks. This strategy enables them to demand large ransoms, exemplified by the reported $75 million payment.
Work With BlackFog
Work With BlackFog
Keep your organization safe from the effects of ransomware by utilizing BlackFog’s Anti Data Exfiltration (ADX) technology. Unlike antivirus programs, BlackFog’s ADX leverages advanced AI and behavioral analysis to monitor and block suspicious outbound data transfers in real time.
This proactive strategy effectively halts ransomware by preventing data leaks, removing the advantage cybercriminals have to demand ransom.
Make sure you take action to protect your data and ensure the security of your business with BlackFog ADX today.
Related Posts
Microsegmentation: Strengthening Network Security Against Zero Day Exploits
Find out why microsegmentation is an increasingly popular option for supporting zero trust networking approaches.
Patch Management: An Essential Part of Data Security
Ensuring you have a strong patch management strategy in place is essential in minimizing the risks posed by known vulnerabilities.
Layered Security – How a Defense-in-Depth Approach Guards Against Unknown Threats
Make sure your systems are fully protected from threats at every level by incorporating these six key layered security defense strategies.
Zero Trust Data Protection: Securing Your Data in a Perimeterless World
What should firms know about zero trust data protection and how can they ensure it is implemented effectively?
ZTNA vs VPN: Choosing the Right Secure Remote Access Solution
What are the pros and cons of ZTNA vs VPN remote access solutions and which should firms consider?
Zero Day Security Exploits: How They Work and How to Stay Safe
Learn about the risk posed by zero day security exploits and what firms can do to minimize their exposure to these issues.