Who Are Dark Angels?
Who Are Dark Angels?
The Dark Angels group first surfaced in May 2022, operating through the Dunghill data leak platform. Initially thought to be a rebirth of the Babuk family, cybersecurity experts linked Dark Angels to Babuk after Babuk’s source code was exposed. Dark Angels took advantage of this to create their own ransomware versions and became well-known players in the ransomware scene quite quickly.
Image: A photo of Babuk’s ransomware source code being leaked
Dark Angels concentrate their efforts on sectors like healthcare, government, finance, and education, but they have recently broadened their scope to include significant industrial, technology, and telecommunication entities.
Unlike groups that depend on affiliate networks for initial access, Dark Angels operate independently, carefully choosing their targets to ensure significant returns on their efforts.
Dark Angels Noteworthy Attacks
Dark Angels Noteworthy Attacks
One of the standout incidents involving Dark Angels occurred in September 2023 when they targeted Johnson Controls, a company specializing in automation and manufacturing. The group used their ransomware to lock the company’s VMware ESXi servers and demanded a $51 million ransom after absconding with 27 terabytes of corporate data.
Image: A photo of Chainalysis mentioning the $75 million payment
Another noteworthy attack happened in 2024 when a Fortune 50 company paid a $75 million ransom. Although the identity of the company remains undisclosed, this event highlights the group’s knack for securing substantial ransom amounts from their victims. The attack involved stealing large quantities of data and threatening to expose it unless the ransom was paid—a strategy commonly referred to as double extortion.
Dark Angels’ Technical Aspects
Dark Angels’ Technical Aspects
Dark Angels employ a whole range of different methods to infiltrate and compromise their targets. Their Windows-based ransomware payloads, used from the Babuk source code, are engineered to impede system recovery while terminating processes that could disrupt the encryption process.
On Linux/ESXi platforms, Dark Angels utilize 64-bit ELF binaries created for Intel-based Linux systems. These binaries are responsible for tracking the encryption progress in a predetermined log file and employ AES encryption with a 256-bit key for file encryption.
The ransomware is flexible, accepting parameters to change its operations. For example, the Linux variant allows users to define the number of encryption threads running simultaneously, activate logging, and designate a log file name for tracking progress.
Image: A picture of the Dunghill data leak platform
On Windows systems, the ransomware can leverage arguments to enable network discovery and enumeration, facilitating its spread to neighboring hosts. While this feature elongates the encryption process within a network, it proves efficient.
In addition to its technical capabilities, Dark Angels adopt an approach known as “Big Game Hunting,” focusing on high-value targets rather than widespread attacks. This strategy enables them to demand large ransoms, exemplified by the reported $75 million payment.
Work With BlackFog
Work With BlackFog
Keep your organization safe from the effects of ransomware by utilizing BlackFog’s Anti Data Exfiltration (ADX) technology. Unlike antivirus programs, BlackFog’s ADX leverages advanced AI and behavioral analysis to monitor and block suspicious outbound data transfers in real time.
This proactive strategy effectively halts ransomware by preventing data leaks, removing the advantage cybercriminals have to demand ransom.
Make sure you take action to protect your data and ensure the security of your business with BlackFog ADX today.
Related Posts
The Johnson Controls Ransomware Attack – Impact and Key Insights Review
In September 2023, Johnson Controls International suffered a ransomware attack linked to the Dark Angels group, resulting in the theft of 27TB of sensitive data. The breach caused $27 million in losses and disrupted operations, highlighting the critical need for robust cybersecurity defenses.
The 2024 Vulnerability Crisis – Managing Cybersecurity Threats
Learn how organizations can meet the onslaught of cybersecurity vulnerabilities, along with five of the most common vulnerabilities and successful management strategies. Find out why there’s a new vulnerability every 17 minutes.
What is Data Loss Prevention? | A Complete Guide to DLP Security
Data is the most valuable asset today's businesses possess - and volumes are growing all the time. In this article we look at what data loss prevention means heading into 2025 and what should firms be doing to improve their capabilities?
BlackFog: Personal Liability Concerns Impact 70% of Cybersecurity Leaders
70% of cybersecurity leaders face personal liability concerns. Discover how it impacts governance, accountability, and cybersecurity practices.
Ongoing: New Ransomware Gangs in 2024
Ransomware gangs continue to break records and BlackFog will track all new ransomware gangs in 2024.
BlackCat Ransomware: What It Is and How to Defend Against It
Learn how to protect your business from BlackCat ransomware with essential insights, ransomware prevention tips, and actionable defense strategies to mitigate risk.