Dark Angels Ransomware Attacking Windows And Linux, ESXi Systems

The Dark Angels ransomware group is known for its “sophisticated” and “stealthy” attack strategies that primarily target large corporations for significant ransom payments. 

This group has gained fame for executing highly targeted attacks, including a record-breaking “ransom of $75 million” paid by a ‘Fortune 50 company’ in early 2024.

Zscaler researchers recently uncovered that “Dark Angels” ransomware has been actively attacking Windows, Linux, and ESXi systems.

Dark Angels Ransomware

The “Dark Angels” ransomware group emerged in April 2022 from “Russian-speaking” regions and has revolutionized cyber attacks via their sophisticated methodology. 

Operating without third-party “initial access brokers,” they execute “precision-targeted breaches” using advanced tactics like “phishing campaigns” and “exploiting vulnerabilities” (‘CVE-2023-22069‘) in public-facing applications. 

Their technical arsenal offers:-

  • Modified versions of Babuk-based ransomware
  • RTM Locker for Windows systems
  • RagnarLocker variants for Linux/ESXi environments

Once inside a network, they “perform extensive reconnaissance,” “escalate privileges to obtain domain administrator access,” and “systematically exfiltrate massive amounts of sensitive data” (ranging from 1 to 100 terabytes) through their data leak site “Dunghill Leak” on the ‘Tor network’ and ‘Telegram channel’ (@leaksdirectory).

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Their double-extortion strategy combines “traditional file encryption with data theft,” “targeting high-value enterprises across healthcare,” “technology,” “manufacturing,” and “telecommunications sectors” in ‘the US,’ ‘Europe,’ ‘South America,’ and ‘Asia.’

A timeline of significant Dark Angels’ activity (Source – Zscaler)

Unlike conventional ransomware groups that conduct widespread attacks, “Dark Angels” selective targeting and sophisticated lateral movement techniques within compromised networks have allowed them to maintain operational “stealth” while maximizing financial gains via their RaaS model.

The technical evolution of Dark Angels shows an advancement from using basic “Babuk ransomware” to more advanced variants like “RTM Locker” for Windows systems and “RagnarLocker” for Linux/ESXi environments. 

On Windows, they replaced the traditional “HC-128 encryption” with “ChaCha20” and implemented “ECC” using “Curve25519” by generating unique “32-byte private keys” per file. 

File encryption process implemented by the RagnarLocker variant used by Dark Angels (Source – Zscaler)

The encryption process involves an “Elliptic-Curve Diffie-Hellman” (‘ECDH’) key exchange with a hardcoded public key, resulting in a shared secret that serves as the “ChaCha20 encryption key.” 

For “Linux” and “ESXi” systems they employ “secp256k1” elliptic curve cryptography combined with “AES-256” in “CBC” mode by using a custom bitcoin-core “libsecp256k1 library” for key derivation. 

Their encryption strategy includes a smart file-size-based approach where the “files under 10MB are fully encrypted,” while larger files undergo selective “1MB block encryption” with configurable skip intervals, optimizing the encryption process for extensive datasets. 

The group’s distinctive operational methodology involves working independently “without affiliates” that specifically targets “high-value organizations.” 

Besides this, the Dark Angels employ a “strategic approach” of combining “data exfiltration” with selective encryption.

IoCs

IOCs (Source – Zscaler)

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

The post Dark Angels Ransomware Attacking Windows And Linux, ESXi Systems appeared first on Cyber Security News.