Related families: Babuk
Uptycs recently reported on a new DarkAngels Linux ransomware variant that appears to still be in development.
- DarkAngels Linux ransomware is an ELF binary that appears to still be in development.
- The sample analyzed appends the .crypted extension to encrypted files.
- DarkAngels ransomware is thought to be a rebrand of Babuk.
Uptycs researchers recently discovered an ELF format ransomware developed to target Linux devices. They observed the README note is an exact match with the DarkAngels ransomware ransom note. The original DarkAngels ransomware was first observed in May 2022 and targeted Windows systems.
According to Uptycs’ analysis, the ransomware binary requires a folder as an argument for encryption. Once the folder path is given, DarkAngels encrypts files within the folder and appends the .crypted extension to encrypted files.
The binary uses pthread_create to create a new thread, which executes using start_routine(). The start_routine()(FUN_0041cf55) function follows multiple steps to encrypt the files. First, it opens the target file and sets a write lock on it. It then closes the file and renames it with the .crypted extension. Next, it opens another file with the same name as the target file but with .crypted.README_TO_RESTORE appended. It writes the README content and closes the file. Finally, it opens the original renamed target file and uses lseek and write call to write the encrypted content. A list of encrypted files is stored in a file named wrkman.log.0.
Uptycs researchers noted the ELF file itself was a new discovery, but the Onion link referenced in the binary was not active, leading them to conclude the malware is still under development. The original DarkAngels ransomware is thought to be a rebrand of Babuk.
PolySwarm has a sample of DarkAngels Linux ransomware.
You can use the following CLI command to search for all DarkAngels ransomware samples in our portal:
$ polyswarm link list -f DarkAngels
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports