Shining Light on the Dark Angels Ransomware Group

    Date: 10/11/2024

    Severity: High

    Summary

    The Dark Angels ransomware group has been active since April 2022, executing highly targeted attacks with a stealthy and sophisticated approach. Unlike many ransomware groups that use third-party brokers for broad targeting, Dark Angels focus on a select few large companies to minimize detection while maximizing financial returns. Notably, they were linked to the largest known ransom payment in history, totaling $75 million, as revealed in the Zscaler ThreatLabz 2024 Ransomware Report. This blog delves into the group's tactics, techniques, and procedures.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html

    https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html" or url like "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html" or userdomainname like "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion" or url like "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion"

    Reference: 

    https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group#indicators-of-compromise--iocs-


    Tags

    MalwareRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags