Insights, news, education and announcements from PolySwarm

DarkAngels Linux Ransomware

Written by PolySwarm Tech Team | Sep 12, 2022 5:45:13 PM

Related families: Babuk

Executive Summary

Uptycs recently reported on a new DarkAngels Linux ransomware variant that appears to still be in development.

Key Takeaways

  • DarkAngels Linux ransomware is an ELF binary that appears to still be in development.
  • The sample analyzed appends the .crypted extension to encrypted files.
  • DarkAngels ransomware is thought to be a rebrand of Babuk.
What is DarkAngels Linux Ransomware?

Uptycs researchers recently discovered an ELF format ransomware developed to target Linux devices. They observed the README note is an exact match with the DarkAngels ransomware ransom note. The original DarkAngels ransomware was first observed in May 2022 and targeted Windows systems.

According to Uptycs’ analysis, the ransomware binary requires a folder as an argument for encryption. Once the folder path is given, DarkAngels encrypts files within the folder and appends the .crypted extension to encrypted files.

The binary uses pthread_create to create a new thread, which executes using start_routine(). The start_routine()(FUN_0041cf55) function follows multiple steps to encrypt the files. First, it opens the target file and sets a write lock on it. It then closes the file and renames it with the .crypted extension. Next, it opens another file with the same name as the target file but with .crypted.README_TO_RESTORE appended. It writes the README content and closes the file. Finally, it opens the original renamed target file and uses lseek and write call to write the encrypted content. A list of encrypted files is stored in a file named wrkman.log.0.

Uptycs researchers noted the ELF file itself was a new discovery, but the Onion link referenced in the binary was not active, leading them to conclude the malware is still under development. The original DarkAngels ransomware is thought to be a rebrand of Babuk.

IOCs

PolySwarm has a sample of DarkAngels Linux ransomware.

3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b


You can use the following CLI command to search for all DarkAngels ransomware samples in our portal:

$ polyswarm link list -f DarkAngels

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports