Who Are Dark Angels?
Who Are Dark Angels?
The Dark Angels group first surfaced in May 2022, operating through the Dunghill data leak platform. Initially thought to be a rebirth of the Babuk family, cybersecurity experts linked Dark Angels to Babuk after Babuk’s source code was exposed. Dark Angels took advantage of this to create their own ransomware versions and became well-known players in the ransomware scene quite quickly.
Image: A photo of Babuk’s ransomware source code being leaked
Dark Angels concentrate their efforts on sectors like healthcare, government, finance, and education, but they have recently broadened their scope to include significant industrial, technology, and telecommunication entities.
Unlike groups that depend on affiliate networks for initial access, Dark Angels operate independently, carefully choosing their targets to ensure significant returns on their efforts.
Dark Angels Noteworthy Attacks
Dark Angels Noteworthy Attacks
One of the standout incidents involving Dark Angels occurred in September 2023 when they targeted Johnson Controls, a company specializing in automation and manufacturing. The group used their ransomware to lock the company’s VMware ESXi servers and demanded a $51 million ransom after absconding with 27 terabytes of corporate data.
Image: A photo of Chainalysis mentioning the $75 million payment
Another noteworthy attack happened in 2024 when a Fortune 50 company paid a $75 million ransom. Although the identity of the company remains undisclosed, this event highlights the group’s knack for securing substantial ransom amounts from their victims. The attack involved stealing large quantities of data and threatening to expose it unless the ransom was paid—a strategy commonly referred to as double extortion.
Dark Angels’ Technical Aspects
Dark Angels’ Technical Aspects
Dark Angels employ a whole range of different methods to infiltrate and compromise their targets. Their Windows-based ransomware payloads, used from the Babuk source code, are engineered to impede system recovery while terminating processes that could disrupt the encryption process.
On Linux/ESXi platforms, Dark Angels utilize 64-bit ELF binaries created for Intel-based Linux systems. These binaries are responsible for tracking the encryption progress in a predetermined log file and employ AES encryption with a 256-bit key for file encryption.
The ransomware is flexible, accepting parameters to change its operations. For example, the Linux variant allows users to define the number of encryption threads running simultaneously, activate logging, and designate a log file name for tracking progress.
Image: A picture of the Dunghill data leak platform
On Windows systems, the ransomware can leverage arguments to enable network discovery and enumeration, facilitating its spread to neighboring hosts. While this feature elongates the encryption process within a network, it proves efficient.
In addition to its technical capabilities, Dark Angels adopt an approach known as “Big Game Hunting,” focusing on high-value targets rather than widespread attacks. This strategy enables them to demand large ransoms, exemplified by the reported $75 million payment.
Work With BlackFog
Work With BlackFog
Keep your organization safe from the effects of ransomware by utilizing BlackFog’s Anti Data Exfiltration (ADX) technology. Unlike antivirus programs, BlackFog’s ADX leverages advanced AI and behavioral analysis to monitor and block suspicious outbound data transfers in real time.
This proactive strategy effectively halts ransomware by preventing data leaks, removing the advantage cybercriminals have to demand ransom.
Make sure you take action to protect your data and ensure the security of your business with BlackFog ADX today.
Related Posts
Manufacturing Industry Faces Surge in Ransomware Attacks in 2024
Ransomware attacks on the manufacturing industry are rising, with notable cases at MKS Instruments, Brunswick Corporation, Simpson Manufacturing, and The Clorox Company. Learn about the financial and operational impacts and why manufacturers are prime targets for cybercriminals.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Enterprise Ransomware Protection: Why it Matters
Why must enterprise ransomware protection be a critical component of any firm's cyber security strategy?
TAG Blog Series 1 – How ADX Supports and Implements Policy
Implementing Anti Data Exfiltration (ADX) solutions is critical for enterprise security. This article provides guidance on establishing effective ADX deployment policies, with a focus on aligning them with business objectives and threat perceptions. Highlighting BlackFog's ADX solution, it explores proactive strategies to prevent data exfiltration, offering valuable insights for practitioners aiming to enhance their security posture.
5 Steps to Ensure Your Enterprise Data Security
Why do enterprise data security strategies need to evolve to cope with a new range of threats?
Ransomware Recovery: Key Steps Every Firm Should Know
What should businesses keep in mind in order to develop an effective ransomware recovery plan?