Keypoints
- Dark Angels began operations in April 2022 and claims formation in 2021.
- The group focuses on a small number of large enterprises to demand high-value ransoms.
- They received a record $75M ransom payment in 2024.
- Dark Angels uses third-party ransomware code: Babuk/RTM Locker variants for Windows and a RagnarLocker variant for Linux/ESXi.
- They operate stealthily, often choosing whether to deploy encryption based on expected business disruption.
- Infiltration methods include phishing and exploitation of public-facing vulnerabilities such as CVE-2023-22069, followed by lateral movement and privilege escalation.
- File encryption uses modern crypto: Windows variant leverages Curve25519 and ChaCha20 per-file; Linux/ESXi variant uses secp256k1 ECDH and AES-256-CBC with a footer-based parameter structure and configurable partial-file encryption modes.
MITRE Techniques
- [T1071] Initial Access – Phishing emails used to gain initial access. [‘Phishing emails to gain initial access to corporate networks.’]
- [T1190] Exploitation of Public-Facing Applications – Exploited vulnerabilities in internet-facing services such as CVE-2023-22069. [‘Exploiting vulnerabilities such as CVE-2023-22069.’]
- [T1003] Credential Dumping – Escalated privileges and extracted credentials to obtain domain administrator access for lateral movement. [‘Escalating privileges to gain access to domain administrator accounts.’]
- [T1486] Data Encrypted for Impact – Employed multiple ransomware payloads to encrypt files on compromised hosts when chosen. [‘Encrypting files on compromised systems using various ransomware payloads.’]
- [T1041] Exfiltration Over C2 Channels (Data Exfiltration) – Exfiltrated large datasets (1–100 TB) prior to or instead of encryption. [‘Exfiltrating sensitive information prior to deploying ransomware.’]
Indicators of Compromise
- [Onion domains] Dark Angels Tor sites – http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html, https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion
Dark Angels gain access through phishing and by exploiting public-facing application vulnerabilities (e.g., CVE-2023-22069), then perform internal reconnaissance, lateral movement, and privilege escalation to reach domain administrator accounts. They exfiltrate very large datasets—often 1–100 TB—over days or weeks, and decide whether to deploy encryption based on expected operational impact; this selective deployment is core to their low-profile extortion model.
On Windows targets they have used RTM Locker variants derived from Babuk: each file is encrypted with a random per-file 32-byte Curve25519 private value, the corresponding public key is derived and appended to the filename as a 64-character hex string, and an ECDH with a hardcoded public key produces the ChaCha20 key (NULL 8-byte nonce) used to encrypt file contents. This scheme omits a footer containing encryption parameters; if encryption is interrupted before the public key extension is appended, the per-file shared secret cannot be reconstructed and the file becomes unrecoverable.
For Linux and VMware ESXi systems they use a RagnarLocker-derived variant that generates a per-system secp256k1 private/public pair and performs an ECDH (via libsecp256k1 with a custom hash) against a hardcoded public key to derive a shared secret. A random 32-byte master AES key (mk) encrypts file blocks with AES-256-CBC and per-file IVs, while mk itself is encrypted with the ECDH-derived key and stored in a 177-byte footer alongside the secp256k1 public key, IVs, checksums, original filesize, and a num_mb_to_skip value controlled by the -m parameter. The -m option allows partial-file encryption (e.g., encrypt 10% of a file by encrypting 1MB then skipping 9MB) to speed processing of very large files, and because the Ragnar-derived variant writes encryption parameters into file footers, recovery is possible if encryption is interrupted and the footer remains available.
Read more: https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group