DarkAngels is a ransomware family identified by Cyble Research Labs. Available reporting describes it as a new ransomware operation and assesses the malware as strongly linked to Babuk, with code and behavioral similarities suggesting rebranded or modified Babuk-derived code. Separate reporting also states DarkAngels was observed using Ragnar Locker’s original ESXi encryptor in an attack on Johnson Controls, although the exact relationship between DarkAngels and Ragnar Locker is unclear.
The analyzed DarkAngels sample is a 32-bit Windows GUI binary. Its behavior includes increasing execution time before shutdown via SetProcessShutdownParameters(), enumerating and terminating services and processes that may interfere with encryption, deleting Volume Shadow Copies with vssadmin.exe, and emptying the Recycle Bin via SHEmptyRecycleBinA(). Reported targeted services/processes include VSS, SQL, Memtas, sql.exe, oracle.exe, and powerpnt.exe. It gathers system information with GetSystemInfo(), creates a thread per CPU, encrypts files, and drops the ransom note How_To_Restore_Your_Files.txt.
DarkAngels excludes certain folders, files, and extensions from encryption, including AppData, Boot, Windows, Windows.old, autorun.inf, boot.ini, bootfont.bin, and extensions such as .exe, .dll, and .babyk. Encrypted files are appended with the .crypt extension. Cyble also reported that DarkAngels appends the string "choung dong looks like hot dog" to encrypted files, a behavior linked to Babuk.
The malware can encrypt beyond the local system. When invoked with the shares argument, it uses NetShareEnum() to enumerate shared resources and checks for the $ADMIN share before encrypting. When invoked with the paths argument, it uses GetDriveTypeW() to identify network drives and encrypt files on them. If -paths and -shares are not provided and no mutex named "DarkAngels" is opened, it recursively traverses local drives and encrypts files.
The ransom note instructs victims to contact the operators via a Tor website and threatens disclosure of stolen data within four days if the victim does not respond, including possible notification of government supervision agencies, competitors, and clients. Reporting characterizes DarkAngels activity as highly targeted because the ransom note and threat actor website reportedly contained a specific organization’s name. No dedicated DarkAngels leak site had been identified at the time of the cited reporting.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation reported to have used Ragnar Locker’s original ESXi encryptor in an attack; relationship to Ragnar Locker (offshoot/rebrand/source-code purchase) is unclear.
Targeted ransomware that terminates services/processes (e.g., VSS/SQL-related), deletes shadow copies via vssadmin.exe, empties the recycle bin, enumerates local drives and network shares/paths, encrypts files, drops a ransom note (How_To_Restore_Your_Files.txt), and appends the extension ".crypt" to encrypted files.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.