Dark Angels is a human-operated ransomware operation first observed in May 2022. It conducts intrusions against organizations worldwide, typically performing lateral movement, stealing data for double extortion, obtaining domain controller access, and then deploying ransomware. The group launched a data leak site called "Dunghill Leaks" in April 2023 to pressure victims by threatening publication of stolen data. Reporting in the provided content states that when Dark Angels debuted it used a Babuk-derived ransomware variant, including Windows and VMware ESXi/Linux encryptors, and later switched to Ragnar Locker tooling; one cited researcher assessment says the Linux encryptor used in the Johnson Controls incident matched encryptors used by Ragnar Locker since 2021.
The content specifically links Dark Angels to ransomware activity against VMware ESXi environments. It is named among groups increasingly targeting ESXi, and a cited sample of a Dark Angels ESXi encryptor was reportedly used in the Johnson Controls incident. In that case, the attackers were reported to have encrypted VMware ESXi virtual machines, demanded $51 million for a decryptor and deletion of stolen data, and claimed theft of more than 27 TB of corporate data. Johnson Controls subsequently confirmed a cybersecurity incident that disrupted portions of its internal IT infrastructure and applications. The content also states Dark Angels has been observed in ransomware trend reporting, accounting for 3.8% of observed variants in Q3 2022.
Dark Angels is associated in the provided reporting with large-scale "big game hunting" extortion. Zscaler ThreatLabz and Chainalysis are cited as reporting that a Fortune 50 U.S. company paid Dark Angels a $75 million ransom, described as the highest publicly known ransomware payment. The content does not conclusively identify that victim. High-confidence behaviors directly mentioned include data theft, double extortion, ransomware deployment against enterprise environments including ESXi, and use of leak-site pressure via Dunghill Leaks.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation described as using ESXi-specific variants and destructive actions against backups to increase impact and ransom leverage in hypervisor-focused intrusions.
Dark Angels is a ransomware group known for high-value extortion attacks, encrypting victim data and demanding large ransom payments.
Human-operated ransomware operation (launched May 2022) that breaches corporate networks, moves laterally, steals data for double-extortion, and deploys Windows and VMware ESXi encryptors to encrypt devices/virtual machines; operates a leak site ('Dunghill Leaks') to pressure victims.
Ransomware variant newly appearing among the top observed variants in Q3 2022.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.