Dark Angels

Dark Angels is a ransomware operation launched in May 2022 when it began targeting organizations worldwide. Like almost all human-operated ransomware gangs, Dark Angels breaches corporate networks and then spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.

When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network. The threat actors initially used Windows and VMware ESXi encryptors based on the source code leak for the Babuk ransomware. However, cybersecurity researcher MalwareHunterTeam tells BleepingComputer that the Linux encryptor used in the Johnson Controls attack is the same as ones used by Ragnar Locker since 2021.