Dark Angels Ransomware: Precision Cyber Extortion Tactics.

“Dark Angels Ransomware: Precision-Targeted Stealth and Sophistication in Cyber Extortion”

Understanding the Dark Angels Ransomware Group: Strategies and Impacts on Global Corporations

The Dark Angels ransomware group, a name that has become synonymous with fear in the corridors of global corporations, represents a formidable force in the cybercrime world. Known for their “sophisticated” and “stealthy” attack strategies, this group primarily targets large corporations, extracting significant ransom payments. Their notoriety was cemented early in 2024 when they coerced a staggering $75 million from a Fortune 50 company, setting a chilling precedent for the scale of cyber extortion.

Originating from Russian-speaking regions in April 2022, Dark Angels has quickly evolved, showcasing a revolutionary approach to cyber attacks. Unlike many of their contemporaries who rely on third-party initial access brokers, Dark Angels prides itself on executing precision-targeted breaches. They employ advanced tactics such as phishing campaigns and exploiting vulnerabilities, like the CVE-2023-22069 in public-facing applications, to gain initial access into their target’s systems.

Once they infiltrate a network, their operation shifts gears dramatically. They perform extensive reconnaissance to understand the environment deeply before escalating privileges to obtain domain administrator access. This level of control allows them to systematically exfiltrate massive amounts of sensitive data, ranging from 1 to 100 terabytes. The stolen data finds its way onto their data leak site “Dunghill Leak” on the Tor network and is also broadcasted through their Telegram channel (@leaksdirectory).

Their modus operandi doesn’t stop at mere data theft. The Dark Angels’ double-extortion strategy involves traditional file encryption paired with data theft, targeting high-value enterprises across various sectors including healthcare, technology, manufacturing, and telecommunications across the US, Europe, South America, and Asia. This selective targeting coupled with sophisticated lateral movement techniques within compromised networks allows them to maintain stealth while maximizing financial gains through their Ransomware-as-a-Service (RaaS) model.

Technically, Dark Angels has shown significant evolution. Initially using basic Babuk ransomware, they have now developed more advanced variants like RTM Locker for Windows systems and RagnarLocker for Linux/ESXi environments. On Windows systems, they have shifted from using traditional HC-128 encryption to more secure ChaCha20 and implemented Elliptic Curve Cryptography (ECC) using Curve25519 by generating unique 32-byte private keys per file. The encryption process involves an Elliptic-Curve Diffie-Hellman key exchange with a hardcoded public key, resulting in a shared secret that serves as the ChaCha20 encryption key.

For Linux and ESXi systems, they employ secp256k1 elliptic curve cryptography combined with AES-256 in CBC mode using a custom bitcoin-core libsecp256k1 library for key derivation. Their encryption strategy smartly includes a file-size-based approach where files under 10MB are fully encrypted while larger files undergo selective 1MB block encryption with configurable skip intervals. This method optimizes the encryption process for extensive datasets.

The distinctive operational methodology of working independently without affiliates specifically targets high-value organizations. Moreover, the Dark Angels employ a strategic approach of combining data exfiltration with selective encryption which not only maximizes impact but also instills a deep sense of vulnerability among targeted entities.

As corporations globally brace themselves against such formidable adversaries, the tale of Dark Angels serves as a stark reminder of the evolving landscape of cyber threats and the ever-increasing stakes involved in safeguarding sensitive corporate data. The worry among cybersecurity circles is palpable, as each new attack unfolds layers of sophisticated strategies employed by groups like Dark Angels, pushing the boundaries of defensive capabilities to their limits.

  • Related Posts

    MSC Files and Phishing: The FLUX#CONSOLE Threat Unveiled.

    “Unmasking the FLUX#CONSOLE: Securonix Threat Research Exposes Evolving Phishing Tactics with MSC Files” Overview Of The FLUX#CONSOLE Campaign

    Read more

    WPML Plugin Vulnerability Threatens 1M+ WordPress Sites

    “Over 1 million WordPress sites at critical risk: WPML’s Remote Code Execution vulnerability exposes the dangers of insecure

    Read more

    Leave a Reply