The Dark Angels group first surfaced in May 2022, operating through the Dunghill data leak platform. Initially thought to be a rebirth of the Babuk family, cybersecurity experts linked Dark Angels to Babuk after Babuk’s source code was exposed. Dark Angels took advantage of this to create their own ransomware versions and became well-known players in the ransomware scene quite quickly.

Image: A photo of Babuk’s ransomware source code being leaked

Dark Angels concentrate their efforts on sectors like healthcare, government, finance, and education, but they have recently broadened their scope to include significant industrial, technology, and telecommunication entities.

Unlike groups that depend on affiliate networks for initial access, Dark Angels operate independently, carefully choosing their targets to ensure significant returns on their efforts.

One of the standout incidents involving Dark Angels occurred in September 2023 when they targeted Johnson Controls, a company specializing in automation and manufacturing. The group used their ransomware to lock the company’s VMware ESXi servers and demanded a $51 million ransom after absconding with 27 terabytes of corporate data.

Image: A photo of Chainalysis mentioning the $75 million payment

Another noteworthy attack happened in 2024 when a Fortune 50 company paid a $75 million ransom. Although the identity of the company remains undisclosed, this event highlights the group’s knack for securing substantial ransom amounts from their victims. The attack involved stealing large quantities of data and threatening to expose it unless the ransom was paid—a strategy commonly referred to as double extortion.

Dark Angels employ a whole range of different methods to infiltrate and compromise their targets. Their Windows-based ransomware payloads, used from the Babuk source code, are engineered to impede system recovery while terminating processes that could disrupt the encryption process.

On Linux/ESXi platforms, Dark Angels utilize 64-bit ELF binaries created for Intel-based Linux systems. These binaries are responsible for tracking the encryption progress in a predetermined log file and employ AES encryption with a 256-bit key for file encryption.

The ransomware is flexible, accepting parameters to change its operations. For example, the Linux variant allows users to define the number of encryption threads running simultaneously, activate logging, and designate a log file name for tracking progress.

Image: A picture of the Dunghill data leak platform

On Windows systems, the ransomware can leverage arguments to enable network discovery and enumeration, facilitating its spread to neighboring hosts. While this feature elongates the encryption process within a network, it proves efficient.

In addition to its technical capabilities, Dark Angels adopt an approach known as “Big Game Hunting,” focusing on high-value targets rather than widespread attacks. This strategy enables them to demand large ransoms, exemplified by the reported $75 million payment.

Keep your organization safe from the effects of ransomware by utilizing BlackFog’s Anti Data Exfiltration (ADX) technology. Unlike antivirus programs, BlackFog’s ADX leverages advanced AI and behavioral analysis to monitor and block suspicious outbound data transfers in real time.

This proactive strategy effectively halts ransomware by preventing data leaks, removing the advantage cybercriminals have to demand ransom.

Make sure you take action to protect your data and ensure the security of your business with BlackFog ADX today.