CVE/vulnerability

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial ransom payments by employing third-party ransomware payloads like Babuk, RTM Locker, and RagnarLocker to encrypt files on Windows and Linux systems. 

It employs ransomware in a strategic manner, taking into account the potential impact of file encryption, in order to minimize the disruption to business operations. 

Prioritizing data theft, they demand payment to prevent the release of stolen information, even when ransomware deployment is avoided. With a record-breaking $75M ransom payment in 2024, Dark Angels remain a formidable threat to businesses.

The Dark Angels self-described mission on their data leak site.

The Dark Angels ransomware group, originating in Russian-speaking regions, emerged in 2021 and began targeting global businesses.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Initially using Babuk-based ransomware, they transitioned to double extortion tactics in 2023, releasing stolen data on Telegram and their own data leak site, Dunghill Leak. 

In April 2023, they adopted RTM Locker, a ransomware-as-a-service, for Windows attacks and also leveraged RagnarLocker, a Linux/ESXi encryptor, despite its shutdown in 2023.

Throughout its operations, it has evolved its tactics, expanded its target base, and demonstrated resilience in the face of law enforcement actions.

The group leverages phishing emails and exploits vulnerabilities like CVE-2023-22069 in publicly exposed applications to infiltrate corporate networks. 

Once inside, they conduct reconnaissance, escalate privileges to obtain domain administrator accounts, and exfiltrate sensitive data. Large datasets can take weeks to transfer, posing a significant risk to compromised organizations.

group logo.

It directly targets large enterprises for high-value ransom payments. Unlike many others, they avoid outsourcing attacks, ensuring precision and control, as their focus is on exfiltrating vast amounts of data, up to 100 TB, before deciding whether to deploy ransomware. 

This strategic approach, prioritizing stealth over widespread disruption, has allowed them to remain relatively unknown, evade media attention, and demand substantial ransoms by successfully attacking various industries, including healthcare, technology, manufacturing, and telecommunication.

Example of the Dark Angels encrypted file structure for a file less than 10 MB.

It employs a variant of RTM Locker for Windows encryption, using ChaCha20 and ECC for a more secure approach compared to Babuk.

On Linux and ESXi, they leverage a RagnarLocker variant combining secp256k1 ECC and AES-256-CBC. 

According to Zscaler Blog, the encryption process involves generating a per-system private key, deriving a public key, performing ECDH key exchange, and encrypting files with the shared secret. 

A unique footer containing encryption parameters is appended to encrypted files. The -m parameter allows for partial encryption of large files, optimizing the process.

ansomware modes by file encryption percentages

Dark Angel has achieved significant financial success through a unique approach.

Unlike most ransomware groups that rely on affiliate networks, it operates independently, targeting high-value organizations and strategically deploying ransomware only when it will have minimal business disruption. 

By focusing on stealing sensitive data and avoiding excessive publicity, Dark Angels has successfully extorted large sums of money, as evidenced by the record $75 million ransom payment received in March 2024.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

Aman Mishra

Recent Posts

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise…

59 minutes ago

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization (SEV)…

2 hours ago

Splunk RCE Vulnerability Let Attackers Execute Remote Code

Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…

3 hours ago

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…

4 hours ago

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

18 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

18 hours ago