Dark Angels ransomware, which was a derivative of the Babuk ransomware, has spawned a new version called Dunghill Leak, security researchers found.
Incredible Technologies, an American designer and manufacturer of gaming systems, is popular for the Golden Tee Golf series. The company showed up in cybersecurity news yesterday, when it was listed as a ransomware victim.
The ransomware gang, which calls itself Dunghill Leak, claims to have access to 500 GB of company data.
It includes binaries and source files for 58 slot machine games, documentation, and confidential data related to these games.
The data set also contains source files for application development, SolidWorks drawings, schematics, 3D models, and parts lists for game stations like zuuma and V55, as well as accounting records and tax payment reports from 2011-2022.
Additionally, there are archives with dates ranging from 2005-2018, mostly related to audits.
Researchers at Falcon Feeds flagged that the group appears to be a rebranded site of Dark Angels ransomware.
Dunghill Leak, Dark Angels, and Babuk ransomware
The Cyber Express has reached out to independent researchers to verify the connection between Dunghill Leak and Dark Angels (also spelt Dark Angels/Dark Angelss in many circles).
Researchers at Cyble noted the Dark Angels ransomware in May 2022. A further analysis revealed similarities between it and the Babuk Ransomware, and it did not end with the execution.
“Like Babuk ransomware, the Dark Angels appends a signature “choung dong looks like hot dog” at the end of the encrypted file, indicating the ransomware is linked to Babuk,” the report noted.
“Dark Angel Team Ransomware is based on the source code of Babuk, and functions in very much the same way,” confirmed a SentinelOne analysis.
“The ransomware will attempt to inhibit system recovery and terminate any process that may interfere with the encryption process.”
In the absence of any command line options, the malware enumerates all local drives and encrypts all targeted files.
Upon encryption, files are given the .crypt extension, noted another SentinelOne report, which listed Dark Angels as one of the three ransomware strains to watch out for in 2022.
The ransom note dropped by the malware with the name “How_To_Restore_Your_Files.txt” instructed the victims to pay the ransom money for the decryption tool.
However, there was one crucial difference between the way Babuk and Dark Angels, found Cyble researchers.
“Unlike Babuk ransomware, the Dark Angels are using the malware to target specific organizations. This approach shows some threat actors are specifically selecting their targets,” said the report.
“Thus far no DarkAngels leak site has been identified. However, considering the targeted attacks one might appear soon.”
Dark Angels ransomware, gangs, and TOR sites
Usually, ransomware operators limit their actions to the dark web to hide their illicit behavior.
They keep their public leak websites and communication platforms for victims hidden on The Onion Router (TOR) network accessible solely through a particular URL that is exclusively available through direct disclosure.
“This limits access to fellow operators, victims and security researchers who track and discover such sites,” said a Cisco Talos report on de-anonymizing ransomware domains on the dark web.
When used appropriately, the TOR network can provide a significant degree of anonymity.
However, if a threat actor makes configuration errors, their activity becomes publicly visible and may draw the scrutiny of law enforcement agencies or security researchers.
To prevent attracting this kind of attention, ransomware operators will take extensive measures to keep their operations untraceable and anonymous.
The Cisco Talos researchers used various methods to uncover the adversaries’ clear web infrastructures, as TOR hidden services are not directly indexed by web search engines.
They identified self-signed TLS certificates and favicons associated with the actors’ dark websites and indexed the clear web to see if they were used publicly.
The researchers also found instances where the adversaries unintentionally exposed sensitive server data, which allowed them to obtain a list of specific login locations used by threat actors to administer their ransomware servers.
They applied this method to Dark Angels.
“They operate much the same as other groups in that they have set up a blog website as a TOR hidden service with a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with Dark Angels affiliates to discuss ransom payment negotiations,” said the report.