Ransomware Dubbed DarkAngels

A new ransomware malware dubbed DarkAngels by Cyble Research Labs has been identified. There are similarities between the DarkAngels malware and the Babuk ransomware as uncovered during an analytical analysis of the malware.

The ransom note and TAs website are both named after specific organizations, meaning they were likely created in the context of a highly targeted attack.

Technical Analysis

Using static analysis, experts have discovered that the malicious file is a 32-bit GUI-based binary, and this is due to its 32-bit Graphical User Interface (GUI) based nature.

By calling the SetProcessShutdownParameters() API, the malware is able to change the priority of the process first, it will change the process priority to zero only before the system shutdown in order to terminate the malware’s activities.

To ensure that its encryption process is not interrupted during the process of encrypting the system, the malware attempts to terminate the services before encrypting the system.

In order to enumerate and retrieve the names of the services running on the victim’s machine, the malware enumerates all available services.

Using the “SHEmptyRecycleBinA() API, the malware removes all items from the Recycle Bin in order to ensure that after the encryption none of the deleted files are restored.

The ransom note entitled “How_To_Restore_Your_Files.txt” was dropped by the malware and instructs the victims to pay the ransom to unlock their files.

As soon as the malware drops the ransom notes, it encrypts the data on the victim’s device and appends the “.crypt” extension to the files.


DarkAngels malware appears to have a strong correlation to the Babuk ransomware code that has long been available on the internet. In general, it is not uncommon for threat actors to use existing code, modify it, and rebrand it in order to gain a competitive edge.

Here below we have listed all the recommendations provided by the security analysts:-

  • Backups need to be done regularly and they need to be kept either off-line or in separate networks to protect them.
  • The easiest and most pragmatic way to keep your computer, mobile device, and other connected devices updated is to enable automatic software updates whenever it is feasible.
  • If you have a mobile or Pc connected to the Internet, you should use an anti-virus that has a reputable reputation.
  • Do not open bogus email attachments or links without checking their authenticity before opening them.
  • It is essential to detach infected devices from the network where they are connected.
  • If you have connected external storage devices, disconnect them.
  • Identify suspicious events by reviewing the system logs.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.