The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

DarkAngels Linux Ransomware

Sep 12, 2022 1:45:13 PM / by PolySwarm Tech Team


Related families: Babuk

Executive Summary

Uptycs recently reported on a new DarkAngels Linux ransomware variant that appears to still be in development.

Key Takeaways

  • DarkAngels Linux ransomware is an ELF binary that appears to still be in development.
  • The sample analyzed appends the .crypted extension to encrypted files.
  • DarkAngels ransomware is thought to be a rebrand of Babuk.
What is DarkAngels Linux Ransomware?

Uptycs researchers recently discovered an ELF format ransomware developed to target Linux devices. They observed the README note is an exact match with the DarkAngels ransomware ransom note. The original DarkAngels ransomware was first observed in May 2022 and targeted Windows systems.

According to Uptycs’ analysis, the ransomware binary requires a folder as an argument for encryption. Once the folder path is given, DarkAngels encrypts files within the folder and appends the .crypted extension to encrypted files.

The binary uses pthread_create to create a new thread, which executes using start_routine(). The start_routine()(FUN_0041cf55) function follows multiple steps to encrypt the files. First, it opens the target file and sets a write lock on it. It then closes the file and renames it with the .crypted extension. Next, it opens another file with the same name as the target file but with .crypted.README_TO_RESTORE appended. It writes the README content and closes the file. Finally, it opens the original renamed target file and uses lseek and write call to write the encrypted content. A list of encrypted files is stored in a file named wrkman.log.0.

Uptycs researchers noted the ELF file itself was a new discovery, but the Onion link referenced in the binary was not active, leading them to conclude the malware is still under development. The original DarkAngels ransomware is thought to be a rebrand of Babuk.


PolySwarm has a sample of DarkAngels Linux ransomware.


You can use the following CLI command to search for all DarkAngels ransomware samples in our portal:

$ polyswarm link list -f DarkAngels

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Linux, DarkAngels

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts