Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial ransom payments by employing third-party ransomware payloads like Babuk, RTM Locker, and RagnarLocker to encrypt files on Windows and Linux systems. 

It employs ransomware in a strategic manner, taking into account the potential impact of file encryption, in order to minimize the disruption to business operations. 

Prioritizing data theft, they demand payment to prevent the release of stolen information, even when ransomware deployment is avoided. With a record-breaking $75M ransom payment in 2024, Dark Angels remain a formidable threat to businesses.

The Dark Angels ransomware group, originating in Russian-speaking regions, emerged in 2021 and began targeting global businesses.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Initially using Babuk-based ransomware, they transitioned to double extortion tactics in 2023, releasing stolen data on Telegram and their own data leak site, Dunghill Leak. 

In April 2023, they adopted RTM Locker, a ransomware-as-a-service, for Windows attacks and also leveraged RagnarLocker, a Linux/ESXi encryptor, despite its shutdown in 2023.

Throughout its operations, it has evolved its tactics, expanded its target base, and demonstrated resilience in the face of law enforcement actions.

The group leverages phishing emails and exploits vulnerabilities like CVE-2023-22069 in publicly exposed applications to infiltrate corporate networks. 

Once inside, they conduct reconnaissance, escalate privileges to obtain domain administrator accounts, and exfiltrate sensitive data. Large datasets can take weeks to transfer, posing a significant risk to compromised organizations.

It directly targets large enterprises for high-value ransom payments. Unlike many others, they avoid outsourcing attacks, ensuring precision and control, as their focus is on exfiltrating vast amounts of data, up to 100 TB, before deciding whether to deploy ransomware. 

This strategic approach, prioritizing stealth over widespread disruption, has allowed them to remain relatively unknown, evade media attention, and demand substantial ransoms by successfully attacking various industries, including healthcare, technology, manufacturing, and telecommunication.

It employs a variant of RTM Locker for Windows encryption, using ChaCha20 and ECC for a more secure approach compared to Babuk.

On Linux and ESXi, they leverage a RagnarLocker variant combining secp256k1 ECC and AES-256-CBC. 

According to Zscaler Blog, the encryption process involves generating a per-system private key, deriving a public key, performing ECDH key exchange, and encrypting files with the shared secret. 

A unique footer containing encryption parameters is appended to encrypted files. The -m parameter allows for partial encryption of large files, optimizing the process.

Dark Angel has achieved significant financial success through a unique approach.

Unlike most ransomware groups that rely on affiliate networks, it operates independently, targeting high-value organizations and strategically deploying ransomware only when it will have minimal business disruption. 

By focusing on stealing sensitive data and avoiding excessive publicity, Dark Angels has successfully extorted large sums of money, as evidenced by the record $75 million ransom payment received in March 2024.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar