{
	"id": "6918f56e-926a-496c-ab4d-ad45884d2d3a",
	"created_at": "2026-04-06T00:17:43.780707Z",
	"updated_at": "2026-04-10T13:12:39.808089Z",
	"deleted_at": null,
	"sha1_hash": "687a57902b31949f86bbf39d7d3106ffd0a7f4c7",
	"title": "DarkAngels Ransomware: Targeted Attack by Rebranded Babuk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 801579,
	"plain_text": "DarkAngels Ransomware: Targeted Attack by Rebranded Babuk\r\nBy cybleinc\r\nPublished: 2022-05-06 · Archived: 2026-04-05 23:42:23 UTC\r\nRebranded Babuk Ransomware in Action: DarkAngels Ransomware Performs Targeted Attack\r\nThis deep-dive analysis of one of the DarkAngels ransomware samples presents recommendations on how to\r\nprotect yourself/your organization from the malware.\r\nCyble Research Labs has identified a new ransomware malware known as DarkAngels. Analysis of the\r\nDarkAngels malware uncovered similarities between it and the Babuk Ransomware.\r\nWhile executing the sample, we observed that the ransom note, and the TAs website, contain a specific\r\norganization’s name indicating that the malware sample may have been developed as part of a highly targeted\r\nattack.\r\nThis blog showcases the deep-dive analysis of one of the DarkAngels ransomware samples to identify their\r\ncapabilities and the way to protect yourself/your organization from them.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nTechnical Analysis\r\nBased on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary,\r\nas shown in Figure 1.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 1 of 10\n\nFigure 1 – Static File Information of DarkAngels Sample\r\nUpon execution, the malware first changes the priority of the process i.e to zero by calling\r\nthe SetProcessShutdownParameters() API so that the malware’s activities can be terminated only before the\r\nsystem shutdown. This is a way to increase the amount of time the malware gets to execute in the compromised\r\nmachine.\r\nFigure 2 – Malware Changes the Priority of the Process\r\nThe malware tries to terminate the services before encrypting the system to ensure no interruption during its\r\nencryption process. To identify the services in the victim’s machine, it calls the OpenSCManagerA() API, which\r\nestablishes a connection to the service control manager and gives the malware access to the service control\r\nmanager database, as shown in Figure 3.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 2 of 10\n\nFigure 3 – Enumerates Services\r\nAfter gaining access, the malware enumerates the services and fetches the service names in the victim’s machines.\r\nThe ransomware then checks the presence of the services such as VSS, SQL, Memtas, etc., and terminates them if\r\nthe services are actively running on the victim’s machine.\r\nThe ransomware also enumerates the running processes using CreateToolhelp32Snapshot(), Process32FirstW(),\r\nand Process32NextW() APIs, checks the process names such as sql.exe,oracle.exe, powerpnt.exe, etc., and\r\nterminates them if they are actively running.\r\nFigure 4 – Terminates Active Processes\r\nFurthermore, we noticed that the binary launches the vssadmin.exe process to delete all Shadow Copy, as shown\r\nin figure 5. The malware deletes shadow copies to avoid recovery of the system after encrypting the files.\r\nFigure 5 – Deletes All Shadow Copies\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 3 of 10\n\nThe malware deletes all items from the Recycle Bin by calling the “SHEmptyRecycleBinA() API to ensure no\r\ndeleted files are restored after encryption.\r\nFigure 6 – Deletes Items from Recycle Bin\r\nAfter execution, DarkAngels Ransomware tries to get system information using GetSystemInfo() API, which\r\nextracts information such as NumberOfProcessors.\r\nFigure 7 – DarkAngels Ransomware Collect System Info\r\nThe malware then creates a thread for all CPUs that it encounters, creates ransom notes named\r\nHow_To_Restore_Your_Files.txt, and encrypts the files present in the victim’s machine.\r\nThe malware enumerates the system and excludes the folders such as AppData, Boot, Windows, Windows.old,\r\netc., from the encryption process.\r\nThe ransomware specifically excludes files such as autorun.inf, boot.ini,bootfont.bin, etc., from encryption.\r\nThe ransomware also excludes file extensions such as .exe, .dll, and .babyk. The .babyk is a well-known extension\r\nfor Babuk ransomware which indicates the DarkAngels is linked to Babuk ransomware.\r\nLike Babuk ransomware, the DarkAngels appends a signature “choung dong looks like hot dog”  at the end of the\r\nencrypted file, indicating the ransomware is linked to Babuk.\r\nFigure 8 – Appends Signature at the end of an encrypted file\r\nThe below figure demonstrates the ransom note dropped by the malware with the name\r\n“How_To_Restore_Your_Files.txt” to instruct the victims to pay the ransom money for the decryption tool.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 4 of 10\n\nFigure 9 – Ransom note\r\nIn their ransom note, the TAs have instructed victims to contact them through their TOR website. In addition, the\r\nTAS threatens the victims to disclose their data if they do not respond within four days after the attack and notify\r\ngovernment supervision agencies, competitors, and clients.\r\nAfter dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the\r\nextension with “.crypt,” as shown in the below figure.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 5 of 10\n\nFigure 10 – Encrypted Files on the Machine\r\nDarkAngels has the capability to be spared through network shares and paths of the infected machine, as shown in\r\nFigure 11.\r\nFigure 11 – Checks for Network shares and paths\r\nIf the given command-line argument is “shares,” then the ransomware finds Network shares and retrieves\r\ninformation about each shared resource on a server using NetShareEnum() API. Furthermore, it checks for\r\n$ADMIN share and starts encrypting the files.  \r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 6 of 10\n\nFigure 12 – Enumerate Shares and Encrypt Files\r\nIf the given command-line argument is “paths,” then the ransomware calls GetDriveTypeW() API to find out the\r\nnetwork drive connected to the infected machine. Once the network drive is identified, the ransomware starts\r\nencrypting the files.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 7 of 10\n\nFigure 13 – Enumerate Drives and Encrypt Files\r\nWhen the command line arguments “-paths” and “-shares” are not provided, and also no mutex named\r\n“DarkAngels” opened in the infected machine then, the ransomware recursively traverses through all local drives\r\nand encrypts the files.\r\nFigure 14 – Enumerates Local Drives\r\nThe below image shows the warning message to a victim company.\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 8 of 10\n\nFigure 15 – Warning message to a Victim Company\r\nThe below image shows the financial transactions of over $1M to the TAs BTC address.\r\nFigure 16 – Financial Transactions\r\nConclusion\r\nThere is a strong correlation between the DarkAngels malware and the existing Babuk ransomware code. It is\r\ncommon for threat actors to leverage existing code, modifying it, and rebranding it. Unlike Babuk ransomware,\r\nthe Dark Angels are using the malware to target specific organizations. This approach shows some TAs are\r\nspecifically selecting their targets. Thus far no DarkAngels leak site has been identified. However, considering the\r\ntargeted attacks one might appear soon.\r\nWe will continue to monitor DarkAngels’ extortion campaigns and update our readers with the latest information.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nSafety measures needed to prevent ransomware attacks\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 9 of 10\n\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers should take the following steps after the ransomware attack\r\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected.\r\nInspect system logs for suspicious events.\r\nImpacts and cruciality Of DarkAngels Ransomware:\r\nLoss of Valuable data.\r\nLoss of organization’s reliability or integrity.\r\nLoss of organization’s business information.\r\nDisruption in organization operation.\r\nEconomic loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution      T1204  User Execution \r\nDiscovery    T1082 System Information Discovery \r\nImpact \r\nT1490  \r\nT1489  \r\nT1486 \r\nInhibit System Recovery  \r\nService Stop  \r\nData Encrypted for Impact \r\nSource: https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nhttps://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/"
	],
	"report_names": [
		"rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack"
	],
	"threat_actors": [
		{
			"id": "3752ab7a-08c0-4e06-9896-eda2c3231ba7",
			"created_at": "2024-12-11T02:03:09.781792Z",
			"updated_at": "2026-04-10T02:00:03.686301Z",
			"deleted_at": null,
			"main_name": "GOLD ANGEL",
			"aliases": [
				"Dark Angels"
			],
			"source_name": "Secureworks:GOLD ANGEL",
			"tools": [
				"Advanced IP Scanner",
				"FileShredder",
				"FileZilla",
				"Godzilla Webshell",
				"Neo-Georg webshell",
				"WinSCP"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434663,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/687a57902b31949f86bbf39d7d3106ffd0a7f4c7.pdf",
		"text": "https://archive.orkl.eu/687a57902b31949f86bbf39d7d3106ffd0a7f4c7.txt",
		"img": "https://archive.orkl.eu/687a57902b31949f86bbf39d7d3106ffd0a7f4c7.jpg"
	}
}