Dark Angels Exposed

Oct. 9, 2024, 8:05 a.m.

Tags
ransomware
data exfiltration
babuk
raas
2024-10-08
ragnarlocker
CVE-2023-22069
External References
Description

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Read the Manual (RTM) Locker for Windows, and a RagnarLocker variant for Linux/ESXi systems. Dark Angels emphasizes data theft over file encryption, often demanding payment to prevent data leaks. Their tactics include network infiltration, lateral movement, and selective ransomware deployment based on potential business disruption. The group has claimed a record $75 million ransom payment and operates a data leak site called Dunghill Leak.

Date

Published: Oct. 8, 2024, 10:49 p.m.

Created: Oct. 8, 2024, 10:49 p.m.

Modified: Oct. 9, 2024, 8:05 a.m.

Attack Patterns

Read the Manual (RTM) Locker

Vasa Locker

Babyk

Babuk - S0638

RagnarLocker

Dark Angels

T1490

T1012

T1552

T1114

T1087

T1005

T1021

T1489

T1486

T1082

T1083

T1543

T1055

T1027

T1053

T1112

T1041

T1566

T1190

T1078

Additional Informations

Technology

Healthcare

Telecommunications

Manufacturing

Virgin Islands, U.S.