Skip to content
Ransomware group

DarkAngels

DarkAngels is a ransomware family identified by Cyble Research Labs.

Profile source: Mallory opens in a new tab

DarkAngels

Family profile

DarkAngels is a ransomware family identified by Cyble Research Labs. Available reporting describes it as a new ransomware operation and assesses the malware as strongly linked to Babuk, with code and behavioral similarities suggesting rebranded or modified Babuk-derived code. Separate reporting also states DarkAngels was observed using Ragnar Locker’s original ESXi encryptor in an attack on Johnson Controls, although the exact relationship between DarkAngels and Ragnar Locker is unclear.

The analyzed DarkAngels sample is a 32-bit Windows GUI binary. Its behavior includes increasing execution time before shutdown via SetProcessShutdownParameters(), enumerating and terminating services and processes that may interfere with encryption, deleting Volume Shadow Copies with vssadmin.exe, and emptying the Recycle Bin via SHEmptyRecycleBinA(). Reported targeted services/processes include VSS, SQL, Memtas, sql.exe, oracle.exe, and powerpnt.exe. It gathers system information with GetSystemInfo(), creates a thread per CPU, encrypts files, and drops the ransom note How_To_Restore_Your_Files.txt.

DarkAngels excludes certain folders, files, and extensions from encryption, including AppData, Boot, Windows, Windows.old, autorun.inf, boot.ini, bootfont.bin, and extensions such as .exe, .dll, and .babyk. Encrypted files are appended with the .crypt extension. Cyble also reported that DarkAngels appends the string "choung dong looks like hot dog" to encrypted files, a behavior linked to Babuk.

The malware can encrypt beyond the local system. When invoked with the shares argument, it uses NetShareEnum() to enumerate shared resources and checks for the $ADMIN share before encrypting. When invoked with the paths argument, it uses GetDriveTypeW() to identify network drives and encrypt files on them. If -paths and -shares are not provided and no mutex named "DarkAngels" is opened, it recursively traverses local drives and encrypts files.

The ransom note instructs victims to contact the operators via a Tor website and threatens disclosure of stolen data within four days if the victim does not respond, including possible notification of government supervision agencies, competitors, and clients. Reporting characterizes DarkAngels activity as highly targeted because the ransom note and threat actor website reportedly contained a specific organization’s name. No dedicated DarkAngels leak site had been identified at the time of the cited reporting.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning DarkAngels

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.