Skip to content
Ransomware group

Dark Angels

Dark Angels is a human-operated ransomware operation first observed in May 2022.

Profile source: Mallory opens in a new tab

Dark Angels

Family profile

Dark Angels is a human-operated ransomware operation first observed in May 2022. It conducts intrusions against organizations worldwide, typically performing lateral movement, stealing data for double extortion, obtaining domain controller access, and then deploying ransomware. The group launched a data leak site called "Dunghill Leaks" in April 2023 to pressure victims by threatening publication of stolen data. Reporting in the provided content states that when Dark Angels debuted it used a Babuk-derived ransomware variant, including Windows and VMware ESXi/Linux encryptors, and later switched to Ragnar Locker tooling; one cited researcher assessment says the Linux encryptor used in the Johnson Controls incident matched encryptors used by Ragnar Locker since 2021.

The content specifically links Dark Angels to ransomware activity against VMware ESXi environments. It is named among groups increasingly targeting ESXi, and a cited sample of a Dark Angels ESXi encryptor was reportedly used in the Johnson Controls incident. In that case, the attackers were reported to have encrypted VMware ESXi virtual machines, demanded $51 million for a decryptor and deletion of stolen data, and claimed theft of more than 27 TB of corporate data. Johnson Controls subsequently confirmed a cybersecurity incident that disrupted portions of its internal IT infrastructure and applications. The content also states Dark Angels has been observed in ransomware trend reporting, accounting for 3.8% of observed variants in Q3 2022.

Dark Angels is associated in the provided reporting with large-scale "big game hunting" extortion. Zscaler ThreatLabz and Chainalysis are cited as reporting that a Fortune 50 U.S. company paid Dark Angels a $75 million ransom, described as the highest publicly known ransomware payment. The content does not conclusively identify that victim. High-confidence behaviors directly mentioned include data theft, double extortion, ransomware deployment against enterprise environments including ESXi, and use of leak-site pressure via Dunghill Leaks.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.