Malware

New Ransomware Dubbed DarkAngels Used as Part of a Highly Targeted Attack

A new ransomware malware dubbed DarkAngels by Cyble Research Labs has been identified. There are similarities between the DarkAngels malware and the Babuk ransomware as uncovered during an analytical analysis of the malware.

The ransom note and TAs website are both named after specific organizations, meaning they were likely created in the context of a highly targeted attack.

Technical Analysis

Using static analysis, experts have discovered that the malicious file is a 32-bit GUI-based binary, and this is due to its 32-bit Graphical User Interface (GUI) based nature.

By calling the SetProcessShutdownParameters() API, the malware is able to change the priority of the process first, it will change the process priority to zero only before the system shutdown in order to terminate the malware’s activities.

To ensure that its encryption process is not interrupted during the process of encrypting the system, the malware attempts to terminate the services before encrypting the system.

In order to enumerate and retrieve the names of the services running on the victim’s machine, the malware enumerates all available services.

Using the “SHEmptyRecycleBinA() API, the malware removes all items from the Recycle Bin in order to ensure that after the encryption none of the deleted files are restored.

The ransom note entitled “How_To_Restore_Your_Files.txt” was dropped by the malware and instructs the victims to pay the ransom to unlock their files.

As soon as the malware drops the ransom notes, it encrypts the data on the victim’s device and appends the “.crypt” extension to the files.

Recommendations

DarkAngels malware appears to have a strong correlation to the Babuk ransomware code that has long been available on the internet. In general, it is not uncommon for threat actors to use existing code, modify it, and rebrand it in order to gain a competitive edge.

Here below we have listed all the recommendations provided by the security analysts:-

  • Backups need to be done regularly and they need to be kept either off-line or in separate networks to protect them.
  • The easiest and most pragmatic way to keep your computer, mobile device, and other connected devices updated is to enable automatic software updates whenever it is feasible.
  • If you have a mobile or Pc connected to the Internet, you should use an anti-virus that has a reputable reputation.
  • Do not open bogus email attachments or links without checking their authenticity before opening them.
  • It is essential to detach infected devices from the network where they are connected.
  • If you have connected external storage devices, disconnect them.
  • Identify suspicious events by reviewing the system logs.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

12 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

13 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

16 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

16 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

20 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

20 hours ago