Dark Angels, also known as Dunghill Leak, is a highly disruptive ransomware group noted for aggressive tactics and record-setting ransom demands across industries since their emergence around May 2022. They have pursued multi‑TB data exfiltration, switching from Babuk to RagnarLocker and conducting high-profile attacks including a September 2023 incident demanding $51 million and stealing over 27 TB of data. #DarkAngels #DunghillLeak #Babuk #RagnarLocker #ThreatLabz #Chainalysis #VMwareESXi
Keypoints
- Group Name: Dark Angels (Dunghill Leak)
- Emergence: around May 2022
- Notable ransom demands: up to $75 million; September 2023 attack with $51 million demand and 27+ TB stolen
- Targeted industries: healthcare, government, finance, education, technology, telecommunications
- Attack approach: highly targeted, focusing on a single large company at a time
- Ransomware variants and timeline: Babuk initially, later RagnarLocker; law enforcement action in Oct 2023 affecting RagnarLocker
MITRE Techniques
- [T1078] Valid Accounts – Utilization of compromised credentials to gain access to target systems. “Utilization of compromised credentials to gain access to target systems.”
- [T1486] Data Encrypted for Impact – Encrypting files on compromised systems to disrupt operations. “Encrypting files on compromised systems to disrupt operations.”
- [T1041] Exfiltration Over Command and Control – Transmitting stolen data back to the attacker via established command and control channels. “Transmitting stolen data back to the attacker via established command and control channels.”
Indicators of Compromise
- [Malware] Babuk; RagnarLocker – used by Dark Angels; “Initially, Dark Angels deployed a Babuk variant before switching to RagnarLocker.”
- [Threat Actor] Dark Angels (Dunghill Leak) – the ransomware group behind the campaigns described
Read more: https://socradar.io/dark-web-profile-dark-angels/