Rebranded Babuk Ransomware in Action: DarkAngels Ransomware Performs Targeted Attack

Cyble Research Labs has identified a new ransomware malware known as DarkAngels. Analysis of the DarkAngels malware uncovered similarities between it and the Babuk Ransomware.

While executing the sample, we observed that the ransom note, and the TAs website, contain a specific organization’s name indicating that the malware sample may have been developed as part of a highly targeted attack.

This blog showcases the deep-dive analysis of one of the DarkAngels ransomware samples to identify their capabilities and the way to protect yourself/your organization from them.

Technical Analysis

Based on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as shown in Figure 1.

Figure 1 – Static File Information of DarkAngels Sample

Upon execution, the malware first changes the priority of the process i.e to zero by calling the SetProcessShutdownParameters() API so that the malware’s activities can be terminated only before the system shutdown. This is a way to increase the amount of time the malware gets to execute in the compromised machine.

Figure 2 – Malware Changes the Priority of the Process

The malware tries to terminate the services before encrypting the system to ensure no interruption during its encryption process. To identify the services in the victim’s machine, it calls the OpenSCManagerA() API, which establishes a connection to the service control manager and gives the malware access to the service control manager database, as shown in Figure 3.

Figure 3 – Enumerates Services

After gaining access, the malware enumerates the services and fetches the service names in the victim’s machines. The ransomware then checks the presence of the services such as VSS, SQL, Memtas, etc., and terminates them if the services are actively running on the victim’s machine.

The ransomware also enumerates the running processes using CreateToolhelp32Snapshot(), Process32FirstW(), and Process32NextW() APIs, checks the process names such as sql.exe,oracle.exe, powerpnt.exe, etc., and terminates them if they are actively running.

Figure 4 – Terminates Active Processes

Furthermore, we noticed that the binary launches the vssadmin.exe process to delete all Shadow Copy, as shown in figure 5. The malware deletes shadow copies to avoid recovery of the system after encrypting the files.

Figure 5 – Deletes All Shadow Copies

The malware deletes all items from the Recycle Bin by calling the “SHEmptyRecycleBinA() API to ensure no deleted files are restored after encryption.

Figure 6 – Deletes Items from Recycle Bin

After execution, DarkAngels Ransomware tries to get system information using GetSystemInfo() API, which extracts information such as NumberOfProcessors.

Figure 7 – DarkAngels Ransomware Collect System Info

The malware then creates a thread for all CPUs that it encounters, creates ransom notes named How_To_Restore_Your_Files.txt, and encrypts the files present in the victim’s machine.

The malware enumerates the system and excludes the folders such as AppData, Boot, Windows, Windows.old, etc., from the encryption process.

The ransomware specifically excludes files such as autorun.inf, boot.ini,bootfont.bin, etc., from encryption.

The ransomware also excludes file extensions such as .exe, .dll, and .babyk. The .babyk is a well-known extension for Babuk ransomware which indicates the DarkAngels is linked to Babuk ransomware.

Like Babuk ransomware, the DarkAngels appends a signature “choung dong looks like hot dog”  at the end of the encrypted file, indicating the ransomware is linked to Babuk.

Figure 8 – Appends Signature at the end of an encrypted file

The below figure demonstrates the ransom note dropped by the malware with the name “How_To_Restore_Your_Files.txt” to instruct the victims to pay the ransom money for the decryption tool.

Figure 9 – Ransom note

In their ransom note, the TAs have instructed victims to contact them through their TOR website. In addition, the TAS threatens the victims to disclose their data if they do not respond within four days after the attack and notify government supervision agencies, competitors, and clients.

After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the extension with “.crypt,” as shown in the below figure.

Figure 10 – Encrypted Files on the Machine

DarkAngels has the capability to be spared through network shares and paths of the infected machine, as shown in Figure 11.

Figure 11 – Checks for Network shares and paths

If the given command-line argument is “shares,” then the ransomware finds Network shares and retrieves information about each shared resource on a server using NetShareEnum() API. Furthermore, it checks for $ADMIN share and starts encrypting the files.  

Figure 12 – Enumerate Shares and Encrypt Files

If the given command-line argument is “paths,” then the ransomware calls GetDriveTypeW() API to find out the network drive connected to the infected machine. Once the network drive is identified, the ransomware starts encrypting the files.

Figure 13 – Enumerate Drives and Encrypt Files

When the command line arguments “-paths” and “-shares” are not provided, and also no mutex named “DarkAngels” opened in the infected machine then, the ransomware recursively traverses through all local drives and encrypts the files.

Figure 14 – Enumerates Local Drives

The below image shows the warning message to a victim company.

Figure 15 – Warning message to a Victim Company

The below image shows the financial transactions of over $1M to the TAs BTC address.

Figure 16 – Financial Transactions


There is a strong correlation between the DarkAngels malware and the existing Babuk ransomware code. It is common for threat actors to leverage existing code, modifying it, and rebranding it. Unlike Babuk ransomware, the Dark Angels are using the malware to target specific organizations. This approach shows some TAs are specifically selecting their targets. Thus far no DarkAngels leak site has been identified. However, considering the targeted attacks one might appear soon.

We will continue to monitor DarkAngels’ extortion campaigns and update our readers with the latest information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent ransomware attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users should take the following steps after the ransomware attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts and cruciality Of DarkAngels Ransomware:

  • Loss of Valuable data.
  • Loss of organization’s reliability or integrity.
  • Loss of organization’s business information.
  • Disruption in organization operation.
  • Economic loss.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Execution     T1204 User Execution 
​​Discovery    T1082 ​System Information Discovery 
Impact T1490  ​
T1489  ​
​Inhibit System Recovery  ​
Service Stop  ​
Data Encrypted for Impact 

Comments are closed.

Scroll to Top