Illuminating the Dark Angels Ransomware Group

The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. This methodology is designed to attract minimal attention, and at the same time, net significant financial gains. Our Zscaler ThreatLabz 2024 Ransomware Report exposed Dark Angels with the largest known ransom payment in history of $75 million earlier this year. In this blog, we will examine the group’s tactics, techniques, and procedures in more detail.

Key Takeaways

• Dark Angels is a sophisticated and highly successful ransomware group that was initially identified in 2022.
• Dark Angels attack a small number of large companies for substantial ransom demands including a $75M ransom payment in 2024—the largest ever discovered.
• The group leverages third-party ransomware payloads including Babuk and Read the Manual (RTM) Locker for Windows file encryption, as well as a variant of RagnarLocker for encrypting files on Linux/ESXi systems.
• Dark Angels attempt to remain in the shadows by performing attacks that do not cause significant business disruptions. The group selectively chooses whether to deploy ransomware based on how much impact file encryption will have on the targeted organization.
• Dark Angels focus heavily on stealing vast amounts of information, especially in cases where the group decides not to deploy ransomware for file encryption. In such instances, Dark Angels demand payment to prevent stolen data from being leaked online.

An Introduction to Dark Angels Ransomware

The Dark Angels group operates from Russian-speaking regions and targets global businesses in the U.S., Europe, South America, and Asia. The first publicly known ransomware attack occurred in April 2022. However, the group’s logo claims they formed in 2021 as shown below. It is not clear if the group operated and conducted attacks under a different name during this initial phase.

Figure 1: The Dark Angels ransomware group logo.

The first known Dark Angels attacks deployed ransomware payloads for Windows systems based on the leaked Babuk source code. While the group likely performed double extortion attacks, combining file encryption with data extortion, Dark Angels is not known to have publicly released data stolen from victims at that time. However, that changed in January 2023, when Dark Angels began releasing stolen data via a Telegram channel (@leaksdirectory) as shown in the figure below. 

Figure 2: The earliest known data leaks released on Telegram by Dark Angels in January 2023.

In April 2023, the group spun up their own data leak site named Dunghill Leak as a Tor hidden service to further publicize stolen victim data. On the data leak site, Dark Angels portrays themselves as providing victim organizations with professional information security services to “make the world more secure” and ironically justifies this objective through extortion as shown below.

Figure 3: The Dark Angels self-described mission on their data leak site.

In July 2023, Dark Angels was observed using a variant of RTM Locker to launch ransomware attacks targeting Windows systems. RTM Locker is operated as ransomware-as-a-service (RaaS) with affiliates that conduct breaches on their behalf in exchange for a percentage of ransom payments. Interestingly, RTM Locker is also based on the leaked source of Babuk. The relationship between the threat group operating RTM Locker and Dark Angels remains unclear, apart from their shared use of the ransomware payload. It is unlikely that Dark Angels is affiliated with RTM Locker, but the group may have acquired the ransomware’s source code or obtained an RTM Locker builder.

Dark Angels also leverages a variant of RagnarLocker to encrypt files on Linux/ESXi systems. The exact relationship between Dark Angels and RagnarLocker is not clear. The latter was active from December 2019 to October 2023, until international law enforcement agencies seized the group’s infrastructure and arrested key individuals in a collaborative global operation. However, the shutdown did not appear to have any impact on Dark Angels.

The figure below shows some of the significant milestones in the history of the Dark Angels ransomware group.

Figure 4: A timeline of significant Dark Angels’ activity.

Dark Angels Attack Methodology

Dark Angels infiltrates corporate networks using a variety of techniques including phishing emails and through publicly exposed applications that contain vulnerabilities such as CVE-2023-22069. Once inside a network, the group is very adept at moving laterally. These steps involve performing reconnaissance and escalating privileges to gain access to a domain administrator account. Thereafter, the group identifies and exfiltrates sensitive information. The network transfers for large datasets can take days or even weeks to complete.

Dark Angels Ransom Strategy

Unlike other threat actors, Dark Angels does not outsource attacks to third-party affiliates (i.e., initial access brokers). Therefore, the number of attacks launched by the group is very limited and targeted at large enterprise organizations that result in high-value ransom payments. Rather than crippling entire organizations, Dark Angels infiltrate networks and exfiltrate vast amounts of data—typically ranging from 1 to 100 TB. The group then determines whether to deploy ransomware and encrypt the victim’s data. This decision is based on whether file encryption will cause a business disruption. Their focus on stealth and precision has allowed the group to remain relatively unknown. This approach has not only increased their ransom payments, but also allowed Dark Angels to largely operate under the radar, evading widespread media coverage and law enforcement scrutiny. The group has launched attacks targeting numerous industries including healthcare, technology, manufacturing, and telecommunications.

Dark Angels File Encryption

File encryption on Windows systems

In Dark Angels’ earliest attacks, the group leveraged a vanilla build of Babuk likely compiled from the leaked source code. However, in July 2023 ThreatLabz observed the group using a variant of RTM Locker, which itself is based on Babuk. However, the RTM variant includes modifications such as replacing the symmetric encryption algorithm from HC-128 to ChaCha20, and eliminating the need for an encrypted file footer.

Similar to Babuk, RTM Locker uses Elliptic Curve Cryptography (ECC) with Curve25519 for asymmetric encryption. The process starts by generating a random 32-byte value per file that is used as a Curve25519 private key. The corresponding per file public key is then derived from the private key. The private key value is then used to perform an Elliptic-Curve Diffie-Hellman (ECDH) key exchange with a hardcoded public key generated by Dark Angels to produce a shared secret. From here, this shared secret is used as a ChaCha20 key with a NULL 8-byte nonce to encrypt the file’s contents. Unlike most ransomware families, RTM Locker does not append a file footer that contains each file’s encryption parameters. Instead, the file’s Curve25519 public key is encoded as a 64-character hex string (32 bytes when decoded) and the file’s extension is appended with this value. An example directory after file encryption is shown below:

Figure 5: Example of files encrypted by an RTM Locker variant used by Dark Angels.

The only parameters necessary to decrypt a victim’s files are the Curve25519 private key possessed by Dark Angels and each file’s Curve25519 public key, which can then be used to derive the shared secret (i.e., the file’s ChaCha20 encryption key) using ECDH. However, there is one main flaw with this implementation. If file encryption is interrupted (e.g., a victim notices the file encryption and turns off the system), the file extension containing the file’s public key will not have been appended to the file, since that operation occurs after file encryption is complete. As a result, the shared secret used for ChaCha encryption will not be recoverable and decryption will not be possible for that file.

File encryption on Linux and VMware ESXi Servers

Dark Angels frequently leverage a RagnarLocker variant to target Linux and VMware ESXi-based systems. The encryption uses a combination of asymmetric ECC and symmetric 256-bit AES in CBC mode. The elliptic curve that was chosen for asymmetric encryption is secp256k1. The ransomware will recursively encrypt files starting from a path specified via the command line.

The following flow diagram illustrates the encryption process.

Figure 6: File encryption process implemented by the RagnarLocker variant used by Dark Angels.

The file encryption routine first generates a random 32-byte value that is used as a per system secp256k1 private key (denoted in the diagram above as pr_v). A secp256k1 public key is then derived from this value (pb_v). An ECDH key exchange is performed using the secp256k1 private key (pr_v)and a hardcoded secp256k1 public key (pr_d) to create a shared secret. The ECDH key exchange code leverages the bitcoin-core libsecp256k1 library. Note that this library uses a custom hash function to derive the shared key, so it is incompatible with many standard elliptic curve libraries. This function takes the result of the ECDH scalar multiplication and the last bit of the y-coordinate, and performs a bitwise OR operation to compute a version number, as shown in the code below.

static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {
    unsigned char version = (y32[31] & 0x01) | 0x02;
    secp256k1_sha256 sha;
    (void)data;

    secp256k1_sha256_initialize(&sha);
    secp256k1_sha256_write(&sha, &version, 1);
    secp256k1_sha256_write(&sha, x32, 32);
    secp256k1_sha256_finalize(&sha, output);

    return 1;
}

This value is then prepended to the value of the x-coordinate and a SHA256 hash is computed to generate a shared secret value. The malware then generates another random 32-byte value and a 16-byte initialization vector (ivs). The former serves as a 256-bit master AES key (mk) that is used to encrypt all files in CBC mode along with a per file random 16-byte initialization vector (ivf). This master AES key is then encrypted itself using 256-bit AES in CBC mode with the shared secret value derived from the ECDH operation (and custom hash function) as the key (sk).

These encryption parameters are then placed as a footer in each encrypted file as well as a ransom note that is created for each file. In the event that file encryption is disrupted, the footer in the ransom note can still be used to recover the encryption parameters and therefore decrypt the original file data.

The file footer for the Dark Angels ransomware variant based on RagnarLocker can be defined as the following 177 byte structure:

struct darkangels_ragnarlocker_footer {  
  unsigned char[16] master_aes_iv; 
  unsigned char[65] secp256k1_public_key; 
  unsigned char[32] encrypted_master_aes_key; 
  unsigned char[16] encrypted_file_data_iv; 
  unsigned char[32] file_data_sha256_checksum; 
  unsigned int64 original_filesize; 
  unsigned int num_encrypted_blocks; 
  unsigned int num_mb_to_skip;
};

The first three fields (113 bytes) will be the same for every file that is encrypted on an individual system. The num_mb_to_skip field is determined by the -m command line argument. This parameter determines what percentage of the file will be encrypted based on how many megabytes will be skipped (i.e., not encrypted) for each encrypted 1MB block as shown in the table below.

Table 1: Dark Angels ransomware modes by file encryption percentages.

If the file is less than 10MB, the entire file content will be encrypted and the num_mb_to_skip field will be set to the value 0xAB. If the file is more than 10MB, the ransomware will encrypt each file’s data in blocks of 0x100000 bytes (1MB) and skip the number of blocks specified in the num_mb_to_skip field of the footer before encrypting the next block. This process is shown in the following diagram for a file that is encrypted using the -m 10 parameter, which alternates between encrypting 1MB blocks and skipping 9MB blocks (i.e., 10% of the file will be encrypted).

Figure 7: Example of the Dark Angels encrypted file format with the -m parameter specified to 10.

The purpose of choosing the file encryption mode is to optimize file encryption for very large files, which can potentially take hours for encryption to complete. 

Below is an example of a file with an original size of 5 bytes that was encrypted by the Dark Angels RagnarLocker variant:

Figure 8: Example of the Dark Angels encrypted file structure for a file less than 10MB.

The encrypted file content (the first line shown in red) proceeds the file footer. In this example, the original data was padded to 16 bytes to meet the minimum block length required by AES. The remaining fields highlighted by color correspond to the darkangels_ragnarlocker_footer structure defined above.

Conclusion

In March 2024, Dark Angels received a record $75M ransom payment. Prior to this event, the group has largely remained in the shadows due to their modus operandi, which is quite different from most ransomware groups. Instead of relying on affiliates to conduct attacks, the group operates alone and focuses on a limited number of high-value targets including large publicly traded companies. Dark Angels also selectively chooses whether to deploy ransomware to encrypt files, but in all cases they steal a vast amount of sensitive data.

The decision whether to deploy ransomware is based on how much of a disruptive impact that file encryption will have for the victim organization. Dark Angels is one of the only ransomware groups that actually seeks to limit business disruption and prefers to avoid publicity. This is one of the main reasons the group has been incredibly successful at extorting businesses while attracting very minimal attention.

Zscaler Coverage

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Dark Angels at various levels with the following threat names:

• ELF64.Ransom.RagnarLocker