Date: 10/11/2024
Severity: High
Summary
The Dark Angels ransomware group has been active since April 2022, executing highly targeted attacks with a stealthy and sophisticated approach. Unlike many ransomware groups that use third-party brokers for broad targeting, Dark Angels focus on a select few large companies to minimize detection while maximizing financial returns. Notably, they were linked to the largest known ransom payment in history, totaling $75 million, as revealed in the Zscaler ThreatLabz 2024 Ransomware Report. This blog delves into the group's tactics, techniques, and procedures.
Indicators of Compromise (IOC) List
URL/Domain | http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html" or url like "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/index.html" or userdomainname like "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion" or url like "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion" |
Reference:
https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group#indicators-of-compromise--iocs-