DarkAngels
DarkAngels is a ransomware family identified by Cyble Research Labs.
Profile source: Mallory opens in a new tabDarkAngels
Family profile
DarkAngels is a ransomware family identified by Cyble Research Labs. Available reporting describes it as a new ransomware operation and assesses the malware as strongly linked to Babuk, with code and behavioral similarities suggesting rebranded or modified Babuk-derived code. Separate reporting also states DarkAngels was observed using Ragnar Locker’s original ESXi encryptor in an attack on Johnson Controls, although the exact relationship between DarkAngels and Ragnar Locker is unclear.
The analyzed DarkAngels sample is a 32-bit Windows GUI binary. Its behavior includes increasing execution time before shutdown via SetProcessShutdownParameters(), enumerating and terminating services and processes that may interfere with encryption, deleting Volume Shadow Copies with vssadmin.exe, and emptying the Recycle Bin via SHEmptyRecycleBinA(). Reported targeted services/processes include VSS, SQL, Memtas, sql.exe, oracle.exe, and powerpnt.exe. It gathers system information with GetSystemInfo(), creates a thread per CPU, encrypts files, and drops the ransom note How_To_Restore_Your_Files.txt.
DarkAngels excludes certain folders, files, and extensions from encryption, including AppData, Boot, Windows, Windows.old, autorun.inf, boot.ini, bootfont.bin, and extensions such as .exe, .dll, and .babyk. Encrypted files are appended with the .crypt extension. Cyble also reported that DarkAngels appends the string "choung dong looks like hot dog" to encrypted files, a behavior linked to Babuk.
The malware can encrypt beyond the local system. When invoked with the shares argument, it uses NetShareEnum() to enumerate shared resources and checks for the $ADMIN share before encrypting. When invoked with the paths argument, it uses GetDriveTypeW() to identify network drives and encrypt files on them. If -paths and -shares are not provided and no mutex named "DarkAngels" is opened, it recursively traverses local drives and encrypts files.
The ransom note instructs victims to contact the operators via a Tor website and threatens disclosure of stolen data within four days if the victim does not respond, including possible notification of government supervision agencies, competitors, and clients. Reporting characterizes DarkAngels activity as highly targeted because the ransom note and threat actor website reportedly contained a specific organization’s name. No dedicated DarkAngels leak site had been identified at the time of the cited reporting.
Ransomware.live
Operational record
Reporting
Research mentioning DarkAngels
Ragnar Locker ransomware’s dark web extortion sites seized by police
"a new ransomware operation named DarkAngels was seen utilizing Ragnar Locker's original ESXi encryptor..."
DarkAngels Ransomware: Targeted Attack By Rebranded Babuk
Cyble Research Labs has identified a new ransomware malware known as DarkAngels. Analysis of the DarkAngels malware uncovered similarities between it and the Babuk Ransomware.