The infamous Dark Angels ransomware group has been wreaking havoc on large companies since 2022, utilizing third-party ransomware payloads like Babuk, RTM Locker, and RagnarLocker to encrypt files on both Windows and Linux systems. With a keen strategic approach, the group carefully considers the impact of file encryption to minimize disruptions and tailor their attacks to maximize ransom payments.
One notable aspect of the Dark Angels’ operations is their emphasis on data theft, often demanding payment to prevent the release of stolen information even if they refrain from deploying ransomware. This unique tactic sets them apart from other ransomware groups and has contributed to their status as a formidable threat to businesses, highlighted by a record-breaking $75 million ransom payment in 2024.
Originating in Russian-speaking regions in 2021, the Dark Angels quickly expanded their reach to target global businesses, using Babuk-based ransomware initially before transitioning to double extortion tactics the following year. By releasing stolen data on Telegram and their own data leak site, Dunghill Leak, the group effectively underscored their willingness to leverage all available tools to achieve their objectives.
In April 2023, the Dark Angels shifted their focus to RTM Locker for Windows attacks and also incorporated RagnarLocker, a Linux/ESXi encryptor that had faced a shutdown earlier that year. Despite these challenges, the group showcased adaptability, continuously evolving their tactics to evade law enforcement scrutiny and persist in their criminal activities.
A key component of the Dark Angels’ modus operandi involves leveraging phishing emails and exploiting vulnerabilities in publicly exposed applications to infiltrate corporate networks. Once inside, they conduct meticulous reconnaissance, escalate privileges, exfiltrate sensitive data, and, in some cases, transfer large datasets that can pose significant risks to compromised organizations over extended periods.
Unlike many ransomware groups that outsource their attacks, the Dark Angels prefer to maintain direct control over their operations, ensuring precision and efficiency in executing their malicious activities. This targeted approach, coupled with a focus on exfiltrating massive amounts of data before deciding whether to deploy ransomware, has allowed them to operate relatively under the radar and demand substantial ransoms.
To further enhance their encryption capabilities, the Dark Angels employ a variant of RTM Locker on Windows systems, utilizing advanced encryption algorithms like ChaCha20 and ECC. On Linux and ESXi platforms, they utilize a modified version of RagnarLocker that combines secp256k1 ECC and AES-256-CBC to secure their attacks and avoid detection.
As reported by Zscaler Blog, the Dark Angels encryption process involves generating a per-system private key, performing key exchanges, encrypting files with shared secrets, and appending unique footers containing encryption parameters to the encrypted data. This meticulous approach allows them to optimize the encryption process and maximize their success rate in extorting ransom payments from their victims.
Overall, the Dark Angels have achieved remarkable financial success through their calculated strategies and innovative tactics. By prioritizing data theft, strategically deploying ransomware, and maintaining a low profile to avoid excessive publicity, they have effectively extorted large sums of money from high-value organizations. The group’s record-breaking ransom payment in March 2024 serves as a testament to their operational prowess and the significant challenges they pose to businesses worldwide.