Table of Contents
February 27, 2025
|9m
Dark Angels or Dunghill Ransomware Group
Dark Angels (also known as GOLD ANGEL) is a financially motivated cybercrime group that has rapidly ascended to become a significant threat in the ransomware landscape. They operate the Dark Angels ransomware and utilize the "Dunghill Leak" data leak site (DLS) for double extortion tactics – encrypting victims' files and threatening to release stolen data if a ransom is not paid. Unlike many ransomware groups that operate on a Ransomware-as-a-Service (RaaS) model with affiliates, Dark Angels appears to work independently, targeting high-value organizations for maximum financial gain. Their focus is primarily on large-scale data exfiltration, often stealing tens or even hundreds of terabytes of data, with encryption used more selectively. This focus on data theft, combined with a recent alleged record-breaking ransom payment, positions Dark Angels as a major threat, particularly for large enterprises.
Origins & Evolution
Dark Angels emerged in May 2022, with the first victim appearing on their Dunghill Leak site in January 2023. Their initial Windows ransomware payloads were based on leaked Babuk ransomware builders, sharing many features with Babuk. However, their Linux/ESXi payloads are distinctly different, showing similarities to RagnarLocker. This divergence suggests they either acquired or developed separate codebases for different operating systems.
By September 2023, there were indications that Dark Angels had shifted to a variant of Ragnar Locker for encryption. They have also claimed to have developed their own custom encryptor, although this hasn't been definitively confirmed by independent researchers. This evolution highlights the group's adaptability and willingness to invest in their tools and techniques.
The group's late adoption of a data leak site (Dunghill Leak, established in April 2023) indicates an initial reluctance to publicly shame victims. The site itself is described as unpolished, further reinforcing their focus on financial gain over notoriety. The leak site primarily lists victims who refused to negotiate or pay, serving as a form of pressure and proof of their capabilities.
There's been speculation linking Dark Angels to Initial Access Brokers (IABs), specifically GOLD MELODY. The observed long dwell times between initial network access and ransomware deployment support this theory, suggesting Dark Angels may purchase access from other groups rather than conducting their own initial intrusions.
Tactics & Techniques
Dark Angels' modus operandi is characterized by several key tactics:
Big Game Hunting: They target large, often multinational, organizations with the potential for significant ransom payments.
Massive Data Exfiltration: Their primary tactic is to steal vast amounts of data (often 10-100 TB), placing significant pressure on victims to pay to prevent its release. This is their primary leverage.
Selective Encryption: While capable of encryption, they may not always deploy ransomware to encrypt all systems. Data theft appears to be the higher priority.
Double Extortion: They employ the classic double extortion tactic, threatening to publicly release stolen data on their Dunghill Leak site if the ransom is not paid.
Low Profile: They aim for minimal public attention, preferring to operate quietly and avoid attracting unnecessary scrutiny.
No Affiliates: Unlike many ransomware groups, they do not use affiliates, suggesting a tighter, more controlled operation, and possibly indicating greater technical skill within the group.
Vulnerability Exploitation: Reports have linked Dark Angels to exploiting a vulnerability in Oracle WebLogic Server.
Post-Compromise tools:
|
Tool
|
Purpose
|
|---|---|
|
Advanced IP Scanner
|
Network reconnaissance
|
|
7-Zip
|
File staging and compression for exfiltration
|
|
FileZilla and WinSCP
|
Data exfiltration
|
|
Windows Event Log Deletion and File Shredding
|
Anti-forensics; hiding their tracks
|
|
Ragnar Locker Variant
|
File Encryption, specially Linux and ESXi systems
|
|
Custom hash function from bitcoin-core libsecp256k1
|
Key Exchange (ECDH) on Linux/ESXi systems
|
|
ChaCha20 and NULL 8-byte nonce
|
Symmetric Encryption on Windows
|
|
AES-256 CBC
|
Symmetric Encryption on Linux/ESXi
|
-m command-line argument |
Controls the percentage of the file that's encrypted
|
Attack Stages (Illustrative Example):
Initial Access: Potentially through an IAB (like GOLD MELODY), phishing, or vulnerability exploitation (e.g., Oracle WebLogic).
Reconnaissance: Using tools like Advanced IP Scanner to map the network and identify valuable data.
Data Staging: Using 7-Zip to compress and prepare data for exfiltration.
Data Exfiltration: Transferring massive amounts of data using FileZilla or WinSCP, likely to cloud storage or other controlled infrastructure.
Encryption (Selective): Deploying ransomware (possibly a Babuk or Ragnar Locker variant, or their own custom encryptor) to encrypt files, potentially targeting specific systems or data.
Extortion: Contacting the victim with a ransom demand and threatening to release the stolen data on the Dunghill Leak site.
Anti-forensics: Windows event logs deletion and FileShredder (anti-forensics).
Targets or Victimology
Dark Angels has demonstrated a broad targeting strategy, impacting organizations across various sectors, including:
Healthcare: High-value data and potential for significant disruption make this a prime target.
Finance: Financial data and the potential for large payouts are attractive.
Government: Espionage motives or disruption of government services could be factors.
Education: Often have weaker security postures and valuable research data.
Technology: Access to intellectual property and source code.
Manufacturing: Sensitive data related to trade secrets, product designs, and supply chains.
Food Distribution: Companies in critical supply chains are appealing targets.
Travel and Hospitality: Targeting customer data and booking systems.
The geographic scope is also broad, with known or suspected victims in the United States and likely other regions. Their focus is primarily on large, multinational corporations with the capacity to pay substantial ransoms.
Specific Examples:
Sysco (May 2023): Global food distribution giant.
Sabre (September 2023): Major travel booking company.
Johnson Controls (September 2023): Multinational conglomerate, with a $51 million ransom demand for 27TB of data.
Nexperia (semiconductor manufacturing):Illustrates the types of data targeted (quality control, client info, engineering data, NDAs, trade secrets, semiconductor tech, pricing, employee data, personal data, passports, contracts, salaries, schematics of chips/microchips, email, transistor blueprints).
Cencora (formerly AmeriSourceBergen) (Suspected, early 2024): Fortune 500 pharmaceutical company, strongly suspected to be the victim of the record $75 million ransom payment.
Attack Campaigns
Early Activity (2022-2023): Initial attacks using Babuk-based ransomware, targeting various sectors. Establishment of the Dunghill Leak site in April 2023.
Sysco and Sabre Attacks (May-September 2023): High-profile attacks demonstrating their capabilities and focus on large organizations.
Johnson Controls Attack (September 2023): A significant attack highlighting their use of a Ragnar Locker variant, large-scale data exfiltration (27TB), and a substantial ransom demand ($51 million). This attack involved the encryption of VMware ESXi servers.
Nexperia Attack The exfiltrated datasets stolen from Nexperia serve as a cautionary example for other organizations.
Alleged Cencora Attack (Early 2024): While unconfirmed by Cencora, strong circumstantial evidence (SEC filings, Zscaler reports, Chainalysis confirmation, and cryptocurrency transaction details) points to them being the victim of the record-breaking $75 million ransom payment to Dark Angels. This attack involved the exfiltration of 100 TB of data. The timeline of events:
* February 21, 2024: Cencora discovered data exfiltration.
* February 27, 2024: Cencora disclosed the breach in an 8-K SEC filing.
* July 29, 2024: Zscaler publishes a report revealing a $75 million ransom payment to Dark Angels.
* July 30, 2024: Zscaler posts on X about the payment being made by a Fortune 50 company.
* July 31, 2024: Cencora amends its 8-K filing, noting additional data exfiltration (PII and PHI) but claiming no material impact.
* September 18, 2024: Bloomberg reports confirmation from sources that Dark Angels received the $75 million ransom from Cencora; the original demand was $150 million.
* September 18, 2024: ZachXBT posts details of Bitcoin transactions allegedly made by Cencora to Dark Angels in March.
Defenses
Defending against Dark Angels requires a multi-layered approach, focusing on both prevention and detection:
Robust Data Backup and Recovery: Implement a comprehensive backup strategy, including offline backups that are regularly tested. This is crucial for recovery in case of encryption.
Network Segmentation: Divide the network into smaller, isolated segments to limit the lateral movement of attackers.
Least Privilege Principle: Strictly control user access rights, granting only the necessary permissions for each user and process.
Multi-Factor Authentication (MFA): Implement MFA for all critical systems and accounts, especially for remote access.
Patch Management: Regularly update and patch all software and systems to address known vulnerabilities. This is particularly important for externally facing systems.
Email Security: Implement strong email filtering and security gateways to block phishing attempts and malicious attachments.
Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints for suspicious activity and provide real-time threat detection and response.
Network Traffic Monitoring: Monitor network traffic for unusual patterns, large data transfers, and communication with known malicious IP addresses or domains.
Security Awareness Training: Regularly train employees on cybersecurity best practices, including identifying and reporting phishing attempts, social engineering tactics, and suspicious emails. Learn about types of phishing attacks to educate employees.
Incident Response Plan: Develop and regularly test a comprehensive incident response plan to ensure a swift and effective response to a potential attack. Consider a cyber incident response plan to mitigate damage.
Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about the latest ransomware threats, including Dark Angels' TTPs and indicators of compromise (IOCs). Knowing indicators of compromise can aid in early detection.
Dark Web Monitoring: Organizations can use third parties to monitor the dark web (DungHill) for brand information.
Vulnerability Scanning: Use vulnerability scanning against ESXi systems to find ways to mitigate security gaps in those systems. Moreover, regularly review essential Windows directories and files in Linux for security. Implementing a patch management strategy is crucial for addressing vulnerabilities promptly. For enhanced network mapping and information gathering, consider using Amass. You can also automate threat detection and incident response with SOAR.
Conclusion
Dark Angels has quickly established itself as a formidable threat in the ransomware landscape. Their focus on "big game hunting," massive data exfiltration, and selective encryption, combined with their apparent independence from the affiliate model, makes them a unique and dangerous adversary. The alleged record-breaking $75 million ransom payment, while not officially confirmed, underscores the significant financial risk they pose to large organizations. Continuous vigilance, proactive security measures, and a robust incident response plan are essential for defending against this evolving and increasingly sophisticated threat. The group's ability to adapt their tools and techniques, coupled with their apparent willingness to target high-value organizations, necessitates a heightened level of security awareness and preparedness.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 27, 2025
- February 27, 2025
- February 27, 2025
- February 27, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 27, 2025
- February 27, 2025
- February 27, 2025
- February 27, 2025
