Dark Angels vs. RagnarLocker: SentinelOne Decodes the 2023 Ransomware Attack

In a stark reminder of the constantly evolving cyber threat landscape, September 2023 witnessed a formidable ransomware attack on the automation giant, Johnson Controls. Cyber adversaries, wielding the Dark Angels ransomware, locked down the company’s VMWare ESXi servers, raising alarms across the cybersecurity community. SentinelOne’s subsequent investigation revealed some startling insights.

To understand the magnitude of this breach, one must first delve into the mechanics of the ransomware. Dark Angels, a fairly recent entrant in the cyber-criminal arsenal since 2022, diverges from many of its contemporaries. Instead of basing its operations on the widely recognized Babuk ESXi locker source code, it follows its own path. Once activated, the ransomware meticulously logs its encryption activities to a pre-defined log file. Operators can determine a root directory to kickstart encryption, and the software even allows customization of encryption threads and logging verbosity.

However, it’s the link between Dark Angels and the infamous RagnarLocker group that raises eyebrows. The latter, known for its widespread attacks from 2020-2022, has eerily similar hallmarks to the Linux version of Dark Angels. Both malware versions are identical in size, employ the same encryption mechanism, and even share file path exclusions, ensuring vital system files remain untouched. This uncanny resemblance hints at a potential code-sharing or even a deeper affiliation between the two groups.

Dark Angels Linux 2023 Proof-pack | Image Credit: SentinelOne

Despite these similarities, each variant has its distinct nuances. For instance, while both ransomware pen down their activities to ‘wrkman.log’, the type of arguments they accept differ. Furthermore, Dark Angels’ ransom note naming convention is uniquely repetitive, creating a ransom note for each encrypted file, whereas most ransomware typically generates a singular note per directory.

Dark Angels Linux 2022 proof-pack | Image Credit: SentinelOne

An intriguing aspect of SentinelOne’s study was the discovery of a Dark Angels sample from September 2022. Although bearing resemblances to its 2023 counterpart, the older sample redirected victims to a different address, which was dormant. On the contrary, the 2023 variant guided victims to a more active site for communication and leaks.

These observations signify a growing trend: cyber adversaries are constantly refining their strategies, capitalizing on loopholes, and targeting vulnerabilities. Dark Angels’ shift from a simplistic image link in 2022 to a more secure link in 2023 exemplifies this adaptability.

Consequently, it is paramount for organizations to remain vigilant. Implementing robust vulnerability and patch management programs becomes an essential defensive strategy. With ESXi hypervisors lacking native security software, enhanced network monitoring becomes crucial, specifically targeting unusual access or data transfers.

In a world where cyber threats mutate and evolve rapidly, staying one step ahead is not just a strategy – it’s a necessity.