Who Are Dark Angels?
Who Are Dark Angels?
The Dark Angels group first surfaced in May 2022, operating through the Dunghill data leak platform. Initially thought to be a rebirth of the Babuk family, cybersecurity experts linked Dark Angels to Babuk after Babuk’s source code was exposed. Dark Angels took advantage of this to create their own ransomware versions and became well-known players in the ransomware scene quite quickly.
Image: A photo of Babuk’s ransomware source code being leaked
Dark Angels concentrate their efforts on sectors like healthcare, government, finance, and education, but they have recently broadened their scope to include significant industrial, technology, and telecommunication entities.
Unlike groups that depend on affiliate networks for initial access, Dark Angels operate independently, carefully choosing their targets to ensure significant returns on their efforts.
Dark Angels Noteworthy Attacks
Dark Angels Noteworthy Attacks
One of the standout incidents involving Dark Angels occurred in September 2023 when they targeted Johnson Controls, a company specializing in automation and manufacturing. The group used their ransomware to lock the company’s VMware ESXi servers and demanded a $51 million ransom after absconding with 27 terabytes of corporate data.
Image: A photo of Chainalysis mentioning the $75 million payment
Another noteworthy attack happened in 2024 when a Fortune 50 company paid a $75 million ransom. Although the identity of the company remains undisclosed, this event highlights the group’s knack for securing substantial ransom amounts from their victims. The attack involved stealing large quantities of data and threatening to expose it unless the ransom was paid—a strategy commonly referred to as double extortion.
Dark Angels’ Technical Aspects
Dark Angels’ Technical Aspects
Dark Angels employ a whole range of different methods to infiltrate and compromise their targets. Their Windows-based ransomware payloads, used from the Babuk source code, are engineered to impede system recovery while terminating processes that could disrupt the encryption process.
On Linux/ESXi platforms, Dark Angels utilize 64-bit ELF binaries created for Intel-based Linux systems. These binaries are responsible for tracking the encryption progress in a predetermined log file and employ AES encryption with a 256-bit key for file encryption.
The ransomware is flexible, accepting parameters to change its operations. For example, the Linux variant allows users to define the number of encryption threads running simultaneously, activate logging, and designate a log file name for tracking progress.
Image: A picture of the Dunghill data leak platform
On Windows systems, the ransomware can leverage arguments to enable network discovery and enumeration, facilitating its spread to neighboring hosts. While this feature elongates the encryption process within a network, it proves efficient.
In addition to its technical capabilities, Dark Angels adopt an approach known as “Big Game Hunting,” focusing on high-value targets rather than widespread attacks. This strategy enables them to demand large ransoms, exemplified by the reported $75 million payment.
Work With BlackFog
Work With BlackFog
Keep your organization safe from the effects of ransomware by utilizing BlackFog’s Anti Data Exfiltration (ADX) technology. Unlike antivirus programs, BlackFog’s ADX leverages advanced AI and behavioral analysis to monitor and block suspicious outbound data transfers in real time.
This proactive strategy effectively halts ransomware by preventing data leaks, removing the advantage cybercriminals have to demand ransom.
Make sure you take action to protect your data and ensure the security of your business with BlackFog ADX today.
Related Posts
Ransomware Containment: Effective Strategies to Protect Your Business
Discover effective ransomware containment strategies for your business. This guide discusses network segmentation, zero trust, and practical best practices for IT managers and cybersecurity professionals to reduce ransomware damage.
Ransomware Meets Retail: Sainsbury’s, Starbucks and Morrisons Feel the Heat from Blue Yonder Attack
The Blue Yonder ransomware attack disrupted major retailers like Sainsbury’s, Starbucks, and Morrisons, highlighting the vulnerabilities of global supply chains and the urgent need for stronger cybersecurity defenses.
Top 5 Cyberattacks During Black Friday and Thanksgiving
Find out about the top five biggest cyberattacks for Black Friday and Thanksgiving, from data breaches and ransomware, to see the risks businesses experience during the holidays.
Healthcare Ransomware Attacks: How to Prevent and Respond Effectively
Learn how to protect yourself from healthcare ransomware attacks. We discuss the main security weaknesses, suggest security steps, and offer possible means of protecting patient information.
Everything That You Need to Know About the Dark Web and Cybercrime
Learn about the dark web, including who uses it, how it operates, and what tools cybercriminals obtain on it. Find out how BlackFog monitors networks, forums, and ransomware leak sites in order to stay ahead of new threats.
Ongoing: New Ransomware Gangs in 2024
Ransomware gangs continue to break records and BlackFog will track all new ransomware gangs in 2024.