The Dark Angels ransomware operation began under a few different names - White Rabbit and M A R I O ESXi. These two crypto-ransomware variants had ransom notes that looked eerily similar, and many of the ransomware attacks from these two variants often appeared with victims for another ransomware operation - RansomHouse. Before too long, another ransomware with the same looking ransom note appeared with the name D A R K A N G E L S T E A M (Dark Angels Team). All three ransomware variants used a tweaked version of the leaked Babuk-ESXi encryptor. The name stuck as they launched a self-named data leak site (DLS) sometime in May, 2022.
This version of their DLS never really got traction, but the group remained operational somewhat under the radar until they released another DLS called Dunghill Leak. It's easy to discern this is the Dark Angels Team behind it because of the logo used in the DLS logo; it's the Dark Angels Team logo. Around the same time, the group began releasing information on alleged breaches of large corporations coupled with massive extortion demands. In the news, it was reported that Dark Angels breached Sysco and Sabre corporations, posting them on their DLS in an attempt to double extort them.
The Dark Angels Team made headlines when it was reported that the group ransomed Johnson Controls International (JCI) and demanded a $51 million ransom. JCI reported did not pay the amount, but did report that the attack cost the company around $27 million to recover. What's interesting about this attack is that researchers found the encryptor sample and negotiation chat logs from this attack revealing that the group switched from Babuk-ESXi-based ransomware to a Ragnar Locker variant. Some researchers indicate that the group had yet to alter the code much, as it was almost a direct copy from other Ragnar Locker attacks. However, Ragnar Locker has ceased operations after many or most of the operators were arrested in a joint operation from law enforcement.
The group really caught the attention of researchers and the media when it was reported that the group received a ransom amount of around $75 million from a ransomware attack on a large corporation in February 2024. ZScalar reported the attack in one of their ransomware reports (found in the references below) which was corroborated by Chainalysis, a blockchain analytics company. Zscalar didn't name the company, but did hint that they were one of the Fortune 50 companies. Coincidentally, Cencora, Inc. filed a Form 8-K with the SEC to report a cyber incident that didn't affect operations. It's possible that Cencora was the company in question, as guessed by BleepingComputer in their reporting. We have no evidence of this, but based on available information, this is an educated guess. At the time of this writing, $75 million is the largest known ransom paid to a ransomware group.
Regarding the technical attributes of their encryptors, the cybergroup initially leveraged the stolen Babuk-ESXi source code to create their own encryptor. This was during the time of the Dark Angels DLS. They forked the Babuk code from GitHub and slightly tailored it to their needs. However, they also have been observed using a tailored version of Ragnar Locker (ESXi version). Meanwhile, the operators themselves claim that they have created their own encryptor. One of the samples we collected is of the Ragnar Locker variant reported by @MalGamy12. The encryption information listed in this entry is from that sample.
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Manufacturing | Switzerland | ||
| Manufacturing | Ireland | $51,000,000 | |
| Healthcare & Medicine | United States | $75,000,000 |