Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
The rebranded Babuk ransomware group, DarkAngels, recently made headlines by extorting a record $75 million from a Fortune 50 company. They are among the notable ransomware groups in 2024. Zscaler's ThreatLabz latest report highlights a troubling trend in cybersecurity, showing a [1]17.8% increase in ransomware attacks over the past year. The manufacturing, healthcare, and technology sectors are the most affected by these attacks.
ThreatLabz's report also reveals a [2]57.81% increase in companies targeted by ransomware attacks and listed on data leak sites compared to last year. Now that all eyes are on DarkAngels ransomware and their historical ransomware payment, let’s look at the threat actor’s most recent attack, as well as their tactics and techniques.
[1] Zscaler ThreatLabz 2024 Ransomware Report I Threat Research
[2] Zscaler ThreatLabz 2024 Ransomware Report I Threat Research
In 2022, a new ransomware named DarkAngels was used in a highly targeted attack. Discovered by Cyble Research Labs, the ransomware shared similarities with the now debunked, Babuk ransomware. Although the group keeps a very low profile, DarkAngels has risen to prominence fairly quickly.
DarkAngels uses a unique and highly targeted strategy by focusing on one large company at a time, setting them apart from most ransomware groups. Unlike these groups, which often rely on broad, indiscriminate targeting and affiliate networks to spread their attacks, DarkAngels aims for high-value targets. This approach allows them to demand larger ransoms from major corporations, distinguishing their methods and goals within the ransomware landscape.
As previously stated, DarkAngels ransomware emerged in May 2022, targeting Windows systems. During that time, through static analysis, experts identified the malware as a 32-bit GUI-based binary. The malware used the SetProcessShutdownParameters() API to adjust the process priority to zero before system shutdown, ensuring its activities are terminated last.
DarkAngels gained initial access via malspam messages distributing Remote Access Trojans (RATs). These RATs deploy a SOCKS5 backdoor to maintain persistence. The threat actors then scanned the compromised network to find weak access points and valid credentials for lateral movement. They exploited weak and common passwords to access NAS instances and other enterprise assets, exfiltrating sensitive data before encrypting the system. The attackers were observed remaining in the system for five months before initiating encryption.
Key tactics, techniques, and procedures (TTPs) include:
This methodical approach allowed DarkAngels to maintain control and maximize their impact on compromised systems.
The figure below shows the ransom note left by the malware, titled “How_To_Restore_Your_Files.txt,” which instructs victims on how to pay the ransom to obtain the decryption tool.
Image 1: DarkAngels' Ransomware Note
Source: Cyble
In the threat actor’s ransom note, the victim is instructed to contact them via their TOR website. Additionally, they threaten to disclose the victims' data if there is no response within four days, warning they will notify government agencies, competitors, and clients.
Once the ransom notes were dropped, the malware encrypted the files on the victim’s machine, appending the ".crypt" extension to the filenames.
While DarkAngels originally used Windows and VMware ESXi encryptors based on Babuk ransomware code, they later shifted to a Linux encryptor used by Ragnar Locker. In September 2023, Johnson Controls, an automation and manufacturing company, fell victim to a ransomware attack where their VMware ESXi servers were encrypted by DarkAngels ransomware.
DarkAngels now shares notable traits with Ragnar Locker, although it shows no overlap with the Babuk ESXi locker source code used by many Linux ransomware families. The ransomware requires operators to specify a root directory for encryption and supports multiple optional arguments.
DarkAngels logs encryption progress to a hardcoded file and can handle locked files by terminating their associated processes. Interestingly, the ransomware group creates a ransom note for each encrypted file, which is uncommon among ransomware. It uses AES-256 for encryption and has several operational similarities with Ragnar Locker, such as using the same log file name and encryption mechanism.
Further analysis reveals that both Dark Angels and Ragnar Locker share the same file extension (.crypted) and exclusion lists for critical system files. However, Dark Angels includes additional functionalities and arguments not present in Ragnar Locker. The 2022 and 2023 variants of Dark Angels direct victims to different .ONION addresses and have changed their method for providing proof-packs, with the latest version using password-protected links.
An OSINT analysis reveals that DarkAngels operators create a unique page for each victim, accessible via a specific URL.
Image 1: DarkAngels' Tor Site Welcome Page
Source: NetEye
The homepage features a simple design with a logo and no information about the ransomware group or its victims. Due to some misconfigurations in the hidden service, security researchers were able to gather details about the infrastructure used by DarkAngels.
The application is published exclusively on the HTTPS protocol, using a self-signed certificate. The site is built using the Symfony PHP framework, with metadata indicating a 2020 creation date, suggesting it could be an older project repurposed for targeted attacks.
Each victim page includes a header with a countdown and a body section showing multiple pieces of evidence regarding the exfiltrated materials. The group does not use a CDN; instead, all files shared on the victim page are distributed via the ufile[.]io sharing service. Additionally, the page revealed a chat section for negotiation.
In early 2024, a Fortune 50 company paid a record-breaking $75 million ransom to DarkAngels, as detailed in Zscaler ThreatLabz's 2024 Ransomware Report. This amount is nearly double the previous highest known ransom of $40 million paid by CNA after an Evil Corp ransomware attack. While the exact company wasn't disclosed, it is suspected that pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list and attacked in February 2024, might be the victim. Zscaler noted that this substantial ransom could encourage other attackers to adopt Dark Angels' tactics.
DarkAngels has evolved significantly since its emergence in 2022. Initially linked to the Babuk ransomware's source code, Dark Angels has since developed its own distinct tools and techniques, particularly for targeting VMware ESXi servers. The group's recent attacks, such as the one on Johnson Controls, demonstrate their sophisticated approach, including the use of AES-256 encryption, detailed logging mechanisms, and specific arguments for customization.
The comparative analysis with Ragnar Locker highlights Dark Angels' strategic adoption of successful ransomware tactics while also introducing unique elements to enhance their operations. Their methodical approach to targeting high-value companies, coupled with the use of advanced encryption and coercive tactics, makes them a threat actor to watch. As they continue to adapt and innovate, it is important for security teams to stay vigilant and use robust defense measures to mitigate the risks of threat actors like DarkAngels.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire.
NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager.
Cyble - Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack
Dark Angels | ESXi Ransomware Borrows Code & Victimology From RagnarLocker (sentinelone.com)
Dark Angels ransomware receives record-breaking $75 million ransom (bleepingcomputer.com)
dark-angels-ransomware-apr28-22-5.pdf (mphasis.com)
Another Ransomware for Linux Likely in Development (uptycs.com)
DarkAngels Ransomware Used as Part of a Highly Targeted Attack (cybersecuritynews.com)
Zscaler ThreatLabz 2024 Ransomware Report I Threat Research
Company Paid Record-Breaking $75 Million to Ransomware Group: Report - SecurityWeek
Johnson Controls says ransomware attack cost $27 million, data stolen (bleepingcomputer.com)
Impact of Johnson Controls ransomware attack detailed | SC Media (scmagazine.com)
Johnson Controls Ransomware Attack Demands $51m (securityjournalamericas.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.