Ransomware - Dark Angels

Dark Angels
Decryptor Available
No
Description

The Dark Angels ransomware operation began under a few different names - White Rabbit and M A R I O ESXi. These two crypto-ransomware variants had ransom notes that looked eerily similar, and many of the ransomware attacks from these two variants often appeared with victims for another ransomware operation - RansomHouse. Before too long, another ransomware with the same looking ransom note appeared with the name D A R K A N G E L S T E A M (Dark Angels Team). All three ransomware variants used a tweaked version of the leaked Babuk-ESXi encryptor. The name stuck as they launched a self-named data leak site (DLS) sometime in May, 2022.

This version of their DLS never really got traction, but the group remained operational somewhat under the radar until they released another DLS called Dunghill Leak. It's easy to discern this is the Dark Angels Team behind it because of the logo used in the DLS logo; it's the Dark Angels Team logo. Around the same time, the group began releasing information on alleged breaches of large corporations coupled with massive extortion demands. In the news, it was reported that Dark Angels breached Sysco and Sabre corporations, posting them on their DLS in an attempt to double extort them.

The Dark Angels Team made headlines when it was reported that the group ransomed Johnson Controls International (JCI) and demanded a $51 million ransom. JCI reported did not pay the amount, but did report that the attack cost the company around $27 million to recover. What's interesting about this attack is that researchers found the encryptor sample and negotiation chat logs from this attack revealing that the group switched from Babuk-ESXi-based ransomware to a Ragnar Locker variant. Some researchers indicate that the group had yet to alter the code much, as it was almost a direct copy from other Ragnar Locker attacks. However, Ragnar Locker has ceased operations after many or most of the operators were arrested in a joint operation from law enforcement.

The group really caught the attention of researchers and the media when it was reported that the group received a ransom amount of around $75 million from a ransomware attack on a large corporation in February 2024. ZScalar reported the attack in one of their ransomware reports (found in the references below) which was corroborated by Chainalysis, a blockchain analytics company. Zscalar didn't name the company, but did hint that they were one of the Fortune 50 companies. Coincidentally, Cencora, Inc. filed a Form 8-K with the SEC to report a cyber incident that didn't affect operations. It's possible that Cencora was the company in question, as guessed by BleepingComputer in their reporting. We have no evidence of this, but based on available information, this is an educated guess. At the time of this writing, $75 million is the largest known ransom paid to a ransomware group.

Regarding the technical attributes of their encryptors, the cybergroup initially leveraged the stolen Babuk-ESXi source code to create their own encryptor. This was during the time of the Dark Angels DLS. They forked the Babuk code from GitHub and slightly tailored it to their needs. However, they also have been observed using a tailored version of Ragnar Locker (ESXi version). Meanwhile, the operators themselves claim that they have created their own encryptor. One of the samples we collected is of the Ragnar Locker variant reported by @MalGamy12. The encryption information listed in this entry is from that sample.

Ransomware Type
Crypto-Ransomware
Data Broker
HumOR
First Seen
Threat Actors
Typ
Actor
Cybergroup
Dark Angels Team
Extortion Types
Direct Extortion
Double Extortion
Elicit Cyber Insurance
Free Data Leaks
Unveil to Media
Victim Client Communication
Victim Employee Communication
Extortion Amounts
Amount
38.14BTC($1,443,484)
$51,000,000
$75,000,000
Communication
Mittel
Bezeichner
Telegram
TOR
TOR
Web Chat
Web Chat
Encryption
Type
Hybrid
Files
Salsa20
Key
RSA-2048
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
bc1q0ev7t3um4jgmhu6x2p4sw8h9quna2y8s7xvzr8
BTC
bc1q0wf73xmcqkvrvs7tj49hznxqqgt6tp359gk0az
BTC
bc1qqe7dafpmnrs4s4apn26f5ppu76qujwn2s3cy83
BTC
bc1qztpcqflm52vxvwv57mzmpv3rkkxyn06cucc0ph
File Extension
<file name>.<file extension>.crypt
<file name>.<file extension>.crypted
Ransom Note Name
How_To_Restore_Your_Files.txt
Samples (SHA-256)
38e05d599877bf18855ad4d178bcd76718cfad1505328d0444363d1f592b0838
3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b
f668f74d8808f5658153ff3e6aee8653b6324ada70a4aa2034dfa20d96875836
fe8b6b7c3c86df0ee47a3cb04a68891fd5e91f3bfb13482112dd9042e8baebdf
Known Victims
Industry Sector Land Extortion Date Amount (USD)
ManufacturingSwitzerland
ManufacturingIreland $51,000,000
Healthcare & MedicineUnited States $75,000,000
SentinelOne: Dark Angels Team
United States Securities and Exchange Commission: Cencora, Inc. - Form 8-K [Feb 21, 2024]
United States Securities and Exchange Commission: Johnson Controls International - Form 10-Q [Dec 31, 2023]