The subtle ransomware group Darkish Angels, energetic since 2022, targets massive firms for substantial ransom funds by using third-party ransomware payloads like Babuk, RTM Locker, and RagnarLocker to encrypt recordsdata on Home windows and Linux techniques.
It employs ransomware in a strategic method, considering the potential affect of file encryption, as a way to decrease the disruption to enterprise operations.
Prioritizing information theft, they demand cost to stop the discharge of stolen info, even when ransomware deployment is prevented. With a record-breaking $75M ransom cost in 2024, Darkish Angels stay a formidable menace to companies.
.webp)
The Darkish Angels ransomware group, originating in Russian-speaking areas, emerged in 2021 and started focusing on international companies.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Secure Searching Software: Strive for Free
Initially utilizing Babuk-based ransomware, they transitioned to double extortion ways in 2023, releasing stolen information on Telegram and their very own information leak web site, Dunghill Leak.
In April 2023, they adopted RTM Locker, a ransomware-as-a-service, for Home windows assaults and in addition leveraged RagnarLocker, a Linux/ESXi encryptor, regardless of its shutdown in 2023.
All through its operations, it has developed its ways, expanded its goal base, and demonstrated resilience within the face of regulation enforcement actions.
The group leverages phishing emails and exploits vulnerabilities like CVE-2023-22069 in publicly uncovered functions to infiltrate company networks.
As soon as inside, they conduct reconnaissance, escalate privileges to acquire area administrator accounts, and exfiltrate delicate information. Giant datasets can take weeks to switch, posing a major threat to compromised organizations.
.webp)
It instantly targets massive enterprises for high-value ransom funds. In contrast to many others, they keep away from outsourcing assaults, making certain precision and management, as their focus is on exfiltrating huge quantities of information, as much as 100 TB, earlier than deciding whether or not to deploy ransomware.
This strategic method, prioritizing stealth over widespread disruption, has allowed them to stay comparatively unknown, evade media consideration, and demand substantial ransoms by efficiently attacking numerous industries, together with healthcare, know-how, manufacturing, and telecommunication.
.webp)
It employs a variant of RTM Locker for Home windows encryption, utilizing ChaCha20 and ECC for a safer method in comparison with Babuk.
On Linux and ESXi, they leverage a RagnarLocker variant combining secp256k1 ECC and AES-256-CBC.
In response to Zscaler Weblog, the encryption course of entails producing a per-system non-public key, deriving a public key, performing ECDH key alternate, and encrypting recordsdata with the shared secret.
A novel footer containing encryption parameters is appended to encrypted recordsdata. The -m parameter permits for partial encryption of huge recordsdata, optimizing the method.
Darkish Angel has achieved important monetary success by way of a singular method.
In contrast to most ransomware teams that depend on affiliate networks, it operates independently, focusing on high-value organizations and strategically deploying ransomware solely when it should have minimal enterprise disruption.
By specializing in stealing delicate information and avoiding extreme publicity, Darkish Angels has efficiently extorted massive sums of cash, as evidenced by the document $75 million ransom cost obtained in March 2024.
Methods to Shield Web sites & APIs from Malware Assault => Free Webinar