Origins and Background
Dark Angels emerged in mid-2022 with an unusual strategic posture: quality over quantity. While most ransomware operations of that period were scaling affiliate networks and grinding through high-volume, lower-value targets, Dark Angels chose a more deliberate path — targeting a small number of very large organisations and extracting correspondingly large ransoms.
The group’s ransomware payload is derived from the Babuk source code, which leaked in September 2021. The leaked Babuk code has become the foundation for multiple ransomware variants targeting Linux and VMware ESXi environments, and Dark Angels built their Linux encryptor on it. Their Windows encryptor shows code similarities to Ragnar Locker, suggesting the group may have absorbed personnel or tools from that operation after Ragnar Locker’s disruption.
Unlike the highly visible public-facing affiliate recruitment common in RaaS operations, Dark Angels appears to operate as a closed, cohesive crew rather than a platform with external affiliates. This structure keeps operational security tighter and reduces the risk of affiliate defections, leaks, or law enforcement infiltration through the affiliate layer.
The Cencora Payment: A Record-Setting Ransom
The most significant publicly known Dark Angels operation is their intrusion into Cencora (formerly AmerisourceBergen), one of the largest pharmaceutical distribution companies in the United States. Cencora disclosed in early 2024 that its systems had been breached and data stolen. What was not immediately known was the ransom paid.
Bloomberg’s 2024 reporting revealed that Cencora paid approximately $75 million to Dark Angels in multiple cryptocurrency instalments. This figure, if accurate, represents the largest known ransomware payment on record — exceeding the widely reported $40 million paid by CNA Financial in 2021 and significantly exceeding the $4.4 million Colonial Pipeline payment that drew international attention.
The payment scale reflects Dark Angels’ targeting philosophy. Cencora is a Fortune 10 company with revenues exceeding $250 billion annually. The ransomware group assessed their target’s capacity to pay and priced accordingly.
What made the Cencora case distinctive was the limited public disclosure of data. Dark Angels did not immediately publish Cencora data on their Dunghill Leak site following the intrusion, suggesting either that a payment was made promptly enough to prevent publication or that a negotiated resolution was reached that kept data off the site. The $75 million figure, if the reporting is accurate, suggests the former.
Dunghill Leak: The Extortion Infrastructure
Dark Angels operates their data leak site under the name Dunghill Leak. The site functions as the group’s extortion leverage — stolen data is published in stages to pressure victims who have not paid.
Dunghill Leak follows a more methodical approach than the high-volume publication style of some other groups. Dark Angels tends to post detailed file listings, sample files, and screenshots before releasing full datasets, giving victims time to assess the exposure and make payment decisions. This staged approach maximises negotiating pressure without immediately destroying the leverage that unpublished data provides.
The site’s victim list, while shorter than high-volume operations like LockBit or CLOP, reflects the big-game targeting strategy: organisations across healthcare, technology, manufacturing, and financial services — companies with the combination of valuable data and financial capacity to pay significant ransoms.
Targeting Profile
Dark Angels’ targeting is consistent with big-game hunting: large enterprises with revenue in the billions, data that creates significant regulatory or competitive exposure if published, and security postures that large organisations often develop — comprehensive at the perimeter, potentially weaker in internal segmentation and east-west detection.
Healthcare is heavily represented in their victim list — not because healthcare pays more than other sectors, but because healthcare organisations hold patient data that creates significant HIPAA exposure and reputational harm if published. Pharmaceutical companies specifically sit at an intersection of highly sensitive data (clinical trial data, patient information) and high revenue.
Technology companies are attractive for IP theft leverage — source code, product roadmaps, acquisition data.
Manufacturing and industrial targets hold supply chain data and operational information with competitive sensitivity.
The group reportedly avoids critical infrastructure targets that would draw immediate US government attention, a tactical restraint that reflects the same low-profile preference that characterises their overall operation.
Technical Profile
Initial Access
Dark Angels has used multiple initial access vectors. Public reporting attributes their intrusions to:
- Exploitation of internet-facing infrastructure vulnerabilities (VPN appliances, firewall management interfaces, public-facing web applications)
- Phishing campaigns for credential acquisition
- Purchasing access from initial access brokers
The group does not appear to rely on a single delivery mechanism, adapting their access approach to target-specific exposure.
Post-Compromise
After gaining access, Dark Angels conduct extended reconnaissance before deploying ransomware. Extended dwell time — sometimes weeks to months — allows the group to:
- Map the full network topology and identify high-value data repositories
- Exfiltrate large volumes of data before triggering encryption
- Identify and target backup infrastructure to maximize recovery difficulty
- Escalate privileges to domain administrator level for maximum encryption coverage
The extensive dwell time and data theft before encryption is consistent with a group optimising for negotiating leverage rather than speed.
Encryption
The Linux/ESXi encryptor (Babuk-derived) targets VMware ESXi hypervisors, encrypting virtual machine disk files and configuration data. This approach is efficient — a small number of ESXi hosts may host hundreds of virtual machines, allowing near-total encryption of a virtualised environment with targeted deployment.
The Windows encryptor targets domain-joined endpoints and file shares, with specific attention to disabling or bypassing endpoint detection before deploying the encryptor.
Data Exfiltration
Data exfiltration is a core component of every Dark Angels operation. The group exfiltrates data before encryption — typically using legitimate cloud storage services or custom tools. The volume of exfiltration can be substantial: in some reported cases, multiple terabytes of data.
Why Dark Angels Flies Below the Radar
Most analysis of the ransomware threat landscape focuses on volume: which groups are posting the most victims, which are recruiting the most affiliates, which are generating the most law enforcement action. Dark Angels scores low on all of these metrics deliberately.
Few victims means less exposure. A group with ten high-value victims generates less intelligence collection opportunity than a group with hundreds of lower-value ones. Fewer victims means fewer law enforcement referrals, fewer incident response firms developing signatures, fewer opportunities for investigators to correlate intrusions.
No affiliate platform means no affiliate risk. RaaS operations are repeatedly disrupted through affiliates — former affiliates who are arrested, who cooperate with law enforcement, or who leak operational information. Dark Angels’ apparent closed-crew model eliminates this attack surface.
Successful payments reduce leak site attention. When victims pay, their data doesn’t appear on Dunghill Leak (or appears minimally). A leak site with limited public activity attracts less researcher and media attention than one that’s posting new victims daily.
Low victim count per period means no “surge” that triggers response. Law enforcement action against ransomware groups often follows surge activity that crosses a threshold — the Colonial Pipeline disruption, the Kaseya VSA mass exploitation, the MOVEit campaign. Dark Angels’ pace of operations doesn’t trigger that threshold.
Defensive Implications
Dark Angels’ approach has several implications for enterprise defensive strategy:
Detect dwell, not just ransomware. By the time Dark Angels deploys their encryptor, they’ve likely been in the environment for weeks. The encryption event is a trailing indicator. Detection must focus on post-compromise activity: unusual lateral movement, large-scale internal data access, staging of data for exfiltration, credential use anomalies.
Monitor ESXi infrastructure specifically. Hypervisor targeting is efficient and fast. ESXi hosts should be treated as high-value targets with their own monitoring — not reliant on the guest VM detection capabilities that won’t operate after the hypervisor is compromised.
Data exfiltration is the primary leverage. Backup resilience limits the encryption impact. It does not limit the extortion leverage created by exfiltrated data. Data loss prevention controls and monitoring for large-volume outbound data transfers are directly relevant to limiting Dark Angels’ ability to exfiltrate meaningful leverage.
Assume threat actor patience. Security monitoring calibrated to detect rapid attacks may miss a methodical actor with extended dwell time. Behavioral analytics that detect low-and-slow enumeration, privilege escalation over weeks, and gradual data staging are necessary to catch this type of operation.
Assessment
Dark Angels represents a mature, disciplined ransomware operation optimising for financial return per operation rather than operational volume. Their record payment from Cencora validates their targeting model and finances continued operations. Their deliberate low profile is a sustainable strategy: it reduces law enforcement pressure, reduces the intelligence collection surface, and maintains negotiating leverage by keeping victim lists short and leaks limited.
The group will likely continue operating at their current tempo, selectively targeting large enterprises with high data sensitivity. Organisations in healthcare, pharmaceutical, and technology sectors — particularly those with revenues above $1 billion and significant patient, customer, or IP data — should treat Dark Angels as a credible and prioritised threat actor in their threat modelling.