An In-Depth Look at DarkAngels Ransomware

executive summary

The rebranded Babuk ransomware group, DarkAngels, recently made headlines by extorting a record $75 million from a Fortune 50 company. They are among the notable ransomware groups in 2024. Zscaler's ThreatLabz latest report highlights a troubling trend in cybersecurity, showing a [1]17.8% increase in ransomware attacks over the past year. The manufacturing, healthcare, and technology sectors are the most affected by these attacks.

ThreatLabz's report also reveals a [2]57.81% increase in companies targeted by ransomware attacks and listed on data leak sites compared to last year. Now that all eyes are on DarkAngels ransomware and their historical ransomware payment, let’s look at the threat actor’s most recent attack, as well as their tactics and techniques.

[1] Zscaler ThreatLabz 2024 Ransomware Report I Threat Research

[2] Zscaler ThreatLabz 2024 Ransomware Report I Threat Research

dARKANGELS

In 2022, a new ransomware named DarkAngels was used in a highly targeted attack. Discovered by Cyble Research Labs, the ransomware shared similarities with the now debunked, Babuk ransomware. Although the group keeps a very low profile, DarkAngels has risen to prominence fairly quickly.

DarkAngels uses a unique and highly targeted strategy by focusing on one large company at a time, setting them apart from most ransomware groups. Unlike these groups, which often rely on broad, indiscriminate targeting and affiliate networks to spread their attacks, DarkAngels aims for high-value targets. This approach allows them to demand larger ransoms from major corporations, distinguishing their methods and goals within the ransomware landscape.

TACTICS + TECHNIQUES

As previously stated, DarkAngels ransomware emerged in May 2022, targeting Windows systems. During that time, through static analysis, experts identified the malware as a 32-bit GUI-based binary. The malware used the SetProcessShutdownParameters() API to adjust the process priority to zero before system shutdown, ensuring its activities are terminated last.

DarkAngels gained initial access via malspam messages distributing Remote Access Trojans (RATs). These RATs deploy a SOCKS5 backdoor to maintain persistence. The threat actors then scanned the compromised network to find weak access points and valid credentials for lateral movement. They exploited weak and common passwords to access NAS instances and other enterprise assets, exfiltrating sensitive data before encrypting the system. The attackers were observed remaining in the system for five months before initiating encryption.

Key tactics, techniques, and procedures (TTPs) include:

• Connecting to the service control manager and accessing its database through another API.
• Enumerating and terminating services such as VSS, SQL, and Memtas that might interfere with the encryption process.
• Deleting volume shadow copies and all items from the Recycle Bin to prevent system recovery.
• Appending the .crypt or .crypted extension to encrypted files, excluding certain files like EXE, DLL, and BABYK.
• Dropping a ransom note (How_To_Restore_Your_Files.txt) with negotiation instructions.

This methodical approach allowed DarkAngels to maintain control and maximize their impact on compromised systems.

The figure below shows the ransom note left by the malware, titled “How_To_Restore_Your_Files.txt,” which instructs victims on how to pay the ransom to obtain the decryption tool.

Image 1: DarkAngels' Ransomware Note

Source: Cyble

In the threat actor’s ransom note, the victim is instructed to contact them via their TOR website. Additionally, they threaten to disclose the victims' data if there is no response within four days, warning they will notify government agencies, competitors, and clients.

Once the ransom notes were dropped, the malware encrypted the files on the victim’s machine, appending the ".crypt" extension to the filenames.

PRESENT DAY

While DarkAngels originally used Windows and VMware ESXi encryptors based on Babuk ransomware code, they later shifted to a Linux encryptor used by Ragnar Locker. In September 2023, Johnson Controls, an automation and manufacturing company, fell victim to a ransomware attack where their VMware ESXi servers were encrypted by DarkAngels ransomware.

DarkAngels now shares notable traits with Ragnar Locker, although it shows no overlap with the Babuk ESXi locker source code used by many Linux ransomware families. The ransomware requires operators to specify a root directory for encryption and supports multiple optional arguments.

DarkAngels logs encryption progress to a hardcoded file and can handle locked files by terminating their associated processes. Interestingly, the ransomware group creates a ransom note for each encrypted file, which is uncommon among ransomware. It uses AES-256 for encryption and has several operational similarities with Ragnar Locker, such as using the same log file name and encryption mechanism.

Further analysis reveals that both Dark Angels and Ragnar Locker share the same file extension (.crypted) and exclusion lists for critical system files. However, Dark Angels includes additional functionalities and arguments not present in Ragnar Locker. The 2022 and 2023 variants of Dark Angels direct victims to different .ONION addresses and have changed their method for providing proof-packs, with the latest version using password-protected links.

TOR SITE

An OSINT analysis reveals that DarkAngels operators create a unique page for each victim, accessible via a specific URL.

Image 1: DarkAngels' Tor Site Welcome Page

Source: NetEye

The homepage features a simple design with a logo and no information about the ransomware group or its victims. Due to some misconfigurations in the hidden service, security researchers were able to gather details about the infrastructure used by DarkAngels.

The application is published exclusively on the HTTPS protocol, using a self-signed certificate. The site is built using the Symfony PHP framework, with metadata indicating a 2020 creation date, suggesting it could be an older project repurposed for targeted attacks.

Each victim page includes a header with a countdown and a body section showing multiple pieces of evidence regarding the exfiltrated materials. The group does not use a CDN; instead, all files shared on the victim page are distributed via the ufile[.]io sharing service. Additionally, the page revealed a chat section for negotiation.

attack on a fortune 50 company

In early 2024, a Fortune 50 company paid a record-breaking $75 million ransom to DarkAngels, as detailed in Zscaler ThreatLabz's 2024 Ransomware Report. This amount is nearly double the previous highest known ransom of $40 million paid by CNA after an Evil Corp ransomware attack. While the exact company wasn't disclosed, it is suspected that pharmaceutical giant Cencora, ranked #10 on the Fortune 50 list and attacked in February 2024, might be the victim. Zscaler noted that this substantial ransom could encourage other attackers to adopt Dark Angels' tactics.

CONCLUSION

DarkAngels has evolved significantly since its emergence in 2022. Initially linked to the Babuk ransomware's source code, Dark Angels has since developed its own distinct tools and techniques, particularly for targeting VMware ESXi servers. The group's recent attacks, such as the one on Johnson Controls, demonstrate their sophisticated approach, including the use of AES-256 encryption, detailed logging mechanisms, and specific arguments for customization.

The comparative analysis with Ragnar Locker highlights Dark Angels' strategic adoption of successful ransomware tactics while also introducing unique elements to enhance their operations. Their methodical approach to targeting high-value companies, coupled with the use of advanced encryption and coercive tactics, makes them a threat actor to watch. As they continue to adapt and innovate, it is important for security teams to stay vigilant and use robust defense measures to mitigate the risks of threat actors like DarkAngels.

AVERTIUM'S RECOMMENDATIONS

• Endpoint Protection: Ensure endpoints are protected with advanced security solutions like the SentinelOne agent, which can defend against Dark Angels and Ragnar Locker Linux variants.
  
  
• Vulnerability Management: Establish a robust vulnerability and patch management program to prevent initial access by threat actors exploiting known vulnerabilities.
  
  
• Enhanced Network Monitoring: Increase network monitoring for unusual access to ESXi hypervisors, especially where security software is lacking.
  
  
• Data Transfer Surveillance: Focus on detecting large or abnormal data transfers from ESXi servers and other network file storage services to identify potential breaches early.

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire.

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.

• Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.

MITRE MAP

INDICATORS OF COMPROMISE (IOCs)

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager.

• Domains
  • myob[.]live
  • p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd[.]onion
  • qspjx67hi3heumrubqotn26cwimb6vjegiwgvrnpa6zefae2nqs6xqad[.]onion
  • lyoevnzm3ewiq6jeyyuob2wfou7gh47yotuucsrwlf6ju3xrw43wacad[.]onion
  • myob[.]live
  • myob[.]link
• URLs
  • hxxp[:]//p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html
  • hxxp[:]//wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onion
  • hxxp[:]//qspjx67hi3heumrubqotn26cwimb6vjegiwgvrnpa6zefae2nqs6xqad.onion/
  • page/6297aa368 ec25
• File Hashes
  • 7c2e9232127385989ba4d7847de2968595024e83
  • 38e05d599877bf18855ad4d178bcd76718cfad1505328d0444363d1f592b0838
  • 5411d7905bef69cb16d44f52fc46aa32fd922c80
  • fe8b6b7c3c86df0ee47a3cb04a68891fd5e91f3bfb13482112dd9042e8baebdf
  • f668f74d8808f5658153ff3e6aee8653b6324ada70a4aa2034dfa20d96875836
  • e931e3191524a0f4bb264408969c3e4f
  • a874076693aff0f34d4248396a2dd777
  • 529e24c81ede5dfcedcc4fbc7d0030f985c67af1
  • 06187023d399f3f57ca16a3a8fb9bb1bdb721603
  • 5cc2306e9e0aa8d1cb095791febf89b3
  • 3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b
  • 709b7e8edb6cc65189739921078b54f0646d38358f9a8993c343b97f3493a4d9
  • ad5122a5ef7ecdd89d936cb8cc4e2bd5
  • 1758a8db8485f7e70432c07a9e3d5c0bb5743889
  • ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9
  • a034f79273e3f61d34eeadf38f12dee2
  • 7247f33113710e5d9bd036f4c7ac2d847b0bf2ac2769cd8246a10f09d0a41bab
  • 903c04976fa6e6721c596354f383a4d4272c6730b29eee00b0ec599265963e74
  • 65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
  • 4e9d4afc901fa1766e48327f3c9642c893831af310bc18ccf876d44ea4efbf1d
  • 435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589
  • 9c8feeab65f71344713d63f4879e247aba49dce4
  • c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
  • 33f612338b6b5e6b4fe8cbb17208795c
  • 8ff189783dc0646513c791421df723187b614f6dbfafad16763e3c369c5dfa2a
  • 1b426f43c91ff3858ed91dfb621cf537
  • fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590
  • 9785231ebf3d00216aa979f8c705e2513568802e
  • 93cb0fa81ed42d4c44fac49dd0354d0b
  • 4a2ee1666e2e9c40d372853e2203a7f2336b6e03
• IP Addresses
  • 38[.]225[.]166

Supporting Documentation

Cyble - Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack

Dark Angels | ESXi Ransomware Borrows Code & Victimology From RagnarLocker (sentinelone.com)

Dark Angels ransomware receives record-breaking $75 million ransom (bleepingcomputer.com)

dark-angels-ransomware-apr28-22-5.pdf (mphasis.com)

Another Ransomware for Linux Likely in Development (uptycs.com)

DarkAngels Ransomware Used as Part of a Highly Targeted Attack (cybersecuritynews.com)

Zscaler ThreatLabz 2024 Ransomware Report I Threat Research

Company Paid Record-Breaking $75 Million to Ransomware Group: Report - SecurityWeek

Johnson Controls says ransomware attack cost $27 million, data stolen (bleepingcomputer.com)

Impact of Johnson Controls ransomware attack detailed | SC Media (scmagazine.com)

Johnson Controls Ransomware Attack Demands $51m (securityjournalamericas.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.