Dark Angels Linux ESXi ransomware targeted Johnson Controls’ VMware ESXi servers in September 2023 and encrypts files using AES-256. SentinelOne’s analysis finds substantial overlap with RagnarLocker’s ESXi variant, suggesting shared code and victimology between the families. #DarkAngels #RagnarLocker #JohnsonControls #ESXi #DunghillLeak
Keypoints
- Dark Angels Linux ESXi ransomware targeted Johnson Controls’ ESXi servers in September 2023.
- Dark Angels is a 64-bit ELF binary for Intel Linux that writes to wrkman.log and requires a root directory, with options like -m, -v, and -l for operation and logging.
- Ransom notes are created per encrypted file and use the .crypted.README_TO_RESTORE format.
- There is substantial overlap between Dark Angels and RagnarLocker Linux samples (similar size, compiler string, and log file usage), including AES-256 encryption and the .crypted extension.
- 2022 and 2023 variants show differences in leak infrastructure (ONION addresses) and proof-pack hosting (ibb.co vs. ufile.io), with 2023 using password-protected ufile.io links.
- Recommendations emphasize endpoint protection, vulnerability/patch management, and enhanced monitoring of ESXi traffic due to lack of native ESXi security software.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – “previous reports indicate the group leverages vulnerabilities to achieve initial access before pivoting deeper into the environment.”
- [T1083] File and Directory Discovery – “The program requires the operator to specify a root directory for file encryption to start, which will then process any subdirectories.”
- [T1486] Data Encrypted for Impact – “Dark Angels uses AES with a 256-bit key to encrypt files.”
Indicators of Compromise
- [File hash] Dark Angels/ RagnarLocker binaries – 06187023d399f3f57ca16a3a8fb9bb1bdb721603, 5411d7905bef69cb16d44f52fc46aa32fd922c80, and 7c2e9232127385989ba4d7847de2968595024e83