Dark Angels Team Ransomware: Analysis, Detection, and Recovery

Dark Angels Team Ransomware: The Emerging Threat in Cybersecurity

In the ever-evolving landscape of cyber threats, a new malicious contender has emerged, casting a shadow over the digital domain. The Dark Angels Team ransomware first made its insidious debut in May 2022, quickly gaining notoriety for its double extortion tactics. Unlike traditional ransomware, which simply encrypts a victim’s files, Dark Angels Team takes a two-pronged approach, demanding payment for both a decryption key and a pledge not to publish stolen data.

This menacing software initially targeted Windows systems, leveraging payloads derived from the leaked Babuk builders, but it has since expanded its reach to Linux/ESXi systems, displaying a level of sophistication reminiscent of the RagnarLocker ransomware.

The Johnson Controls Cyberattack: A Case Study

A particularly notable incident involving Dark Angels Team ransomware occurred in September 2023, when Johnson Controls, a global leader in building automation and management systems, fell victim to a ransomware attack. This incident not only disrupted the company’s operations but also raised alarms due to the ransom demand of a staggering $51 million.

The attackers claimed to have exfiltrated approximately 27 terabytes of data, including potentially sensitive information related to the Department of Homeland Security (DHS), such as security details and facility floor plans. The scale and audacity of the attack serve as a stark reminder of the potent threat posed by Dark Angels Team ransomware.

Technical Dissection of Dark Angels Team Ransomware

Key Characteristics

The double extortion model employed by Dark Angels Team ransomware is particularly concerning for industries that handle sensitive data. The group behind this ransomware has cast a wide net, targeting various sectors, including healthcare, government, finance, and education. A high-profile example of this was the ransomware’s exploitation of Johnson Controls’ VMWare ESXi servers, which was a significant component of the attack.

When dissecting the payloads of Dark Angels Team ransomware, we observe that the Windows payloads bear a striking resemblance to the Babuk ransomware, featuring similar disruptive capabilities designed to hinder system recovery and terminate processes that could interfere with the encryption process. On the other hand, the Linux/ESXi payloads are bespoke 64-bit ELF binaries tailored for Intel-based Linux systems. These payloads utilize AES encryption with a 256-bit key and exhibit functionalities like logging encryption progress to a hardcoded file (wrkman.log) and supporting optional arguments to control encryption threads and enable verbose logging.

Network Spread

The ransomware’s ability to spread across networks is a significant concern for organizations. The Windows version of Dark Angels Team ransomware is designed to propagate to adjacent hosts, processing each machine serially. This method, while effective, can be inefficient and time-consuming, potentially allowing for detection and intervention before the ransomware fulfills its destructive potential.

Detection and Mitigation: A Proactive Approach

Detection Techniques

Detecting activities related to Dark Angels Team ransomware requires a comprehensive strategy. The SentinelOne Singularity XDR Platform is adept at identifying and thwarting such activities. Without the aid of SentinelOne, organizations must adopt a multi-layered approach that includes anti-malware tools, network traffic monitoring, regular security audits, employee training, and a robust backup and recovery plan.

Mitigation Measures

In the event of an attack, the SentinelOne Singularity XDR platform can restore systems to their pre-attack state using its Quarantine or Repair functionalities. For organizations not utilizing SentinelOne, several key mitigation measures can be implemented:

  • Employee Education: Training employees to recognize and report phishing attempts and other cybersecurity threats is a vital line of defense.
  • Strong Password Policies: Enforcing the use of strong, unique passwords and mandating regular password changes can significantly enhance security.
  • Multi-factor Authentication (MFA): Implementing MFA adds an additional layer of security to user accounts, making unauthorized access more challenging.
  • Regular Updates and Patching: Keeping systems up-to-date and patched is essential to close off vulnerabilities that could be exploited by attackers.
  • Backup and Disaster Recovery: Establishing and maintaining regular backup processes, with offsite storage and routine testing, is crucial for quick and reliable data restoration in the event of a ransomware attack.

Relevance to Cryptocurrencies

The connection between ransomware operations like Dark Angels Team and cryptocurrencies is undeniable. Attackers typically demand ransoms in cryptocurrencies to take advantage of the anonymity and difficulty in tracing such transactions. For organizations operating within the cryptocurrency space, understanding the operation and mitigation of ransomware is critical, as they are often prime targets due to the nature of their business.

Industry Expert Insights and Opinions

The Johnson Controls attack has drawn commentary from a range of cybersecurity professionals. Graham Cluley, a renowned security expert, suggests that law enforcement agencies will likely pursue the Dark Angels Team with vigor. He raises an important point about the attackers’ demand to avoid involving law enforcement, questioning the practicality of such a request. Grant Geyer, Chief Product Officer at Claroty, emphasizes the risks associated with IT/OT convergence. He points out that as organizations continue to integrate their digital operations to gain competitive advantages, the digital risks will escalate, making cybersecurity measures like network segmentation more crucial than ever. Tom Kellermann, Senior VP of Cyber Strategy at Contrast Security, notes the common targeting of VMware ESXi servers by attackers and expresses his concern over the potential for a widespread impact on critical infrastructure.

The FBI has also issued a notification regarding emerging ransomware trends, highlighting the increasing instances of multiple attacks on the same victims and new tactics involving data destruction. This serves as a reminder that ransomware groups like Dark Angels Team are continually evolving their methods to increase their chances of success.

Public and Governmental Response

The public reaction to the Johnson Controls ransomware incident has been one of concern, particularly among customers experiencing system outages. An internal DHS memo leaked in the aftermath of the attack underlines the uncertainty about the extent of the data breach and the potential implications for national security.

Business Continuity and Remediation Efforts

In the wake of the ransomware attack, Johnson Controls took immediate action, as detailed in their SEC Form 8-K filing. The company acknowledged the disruptions to their IT infrastructure and applications and began an investigation with the assistance of external cybersecurity experts. They also coordinated with their insurers to manage the fallout from the incident.

The attack’s ramifications extended to Johnson Controls’ subsidiaries, such as York, Simplex, and Ruskin, which displayed technical outage messages on their websites and customer portals. To maintain customer service, Johnson Controls implemented various workarounds and activated their business continuity plans. Despite these measures, the company recognized the ongoing disruptions and the potential impact on their financial reporting.


The Dark Angels Team ransomware represents a significant and evolving threat to organizations worldwide. The Johnson Controls incident underscores the importance of robust cybersecurity measures, including proactive detection and mitigation strategies, to protect against such attacks. By understanding the technical characteristics of this ransomware, leveraging advanced tools like SentinelOne, and following industry best practices, organizations can better safeguard their digital assets against the sophisticated tactics employed by cybercriminal groups.

The cryptocurrency industry, in particular, must remain vigilant, as the anonymous nature of cryptocurrency transactions makes it a favored method for ransom demands. As ransomware continues to pose a serious threat to businesses and critical infrastructure, staying informed and prepared is more important than ever.

In conclusion, the Dark Angels Team ransomware is a stark reminder of the persistent and dynamic challenges that cyber threats pose. By learning from incidents such as the one that befell Johnson Controls and heeding the advice of cybersecurity experts, organizations can enhance their resilience against these malicious campaigns and ensure the continuity of their operations in an increasingly interconnected and digital world.