Researchers have spotted new ransomware, DarkAngels, that has similarities with Babuk ransomware. On the basis of these similarities, it is suspected that the DarkAngels ransomware is a rebranded version of Babuk.

The connection

According to a report by Cyble, there is a strong correlation between the codes shared by DarkAngels and Babuk.
  • Same as Babuk, DarkAngels appends a signature ‘choung dong looks like hot dog’ at the end of the locked file, implying the ransomware is associated with Babuk.
  • DarkAngels ransomware excludes several file extensions, including .exe, .dll, and .babyk. .babyk is known to be excluded by Babuk ransomware as well.

Notable differences

Unlike Babuk ransomware, DarkAngels attacks are observed targeting specific organizations. This approach indicates that some attackers are specifically selecting their targets.

Technical info

The DarkAngels ransomware appends the ‘.crypt’ extension to encrypted files and drops How_To_Restore_Your_Files[.]txt.
  • When executed, the ransomware makes changes to the priority of its own process to zero by calling an API. Due to this, the malware’s activities can be stopped only before the system shutdown.
  • To identify the services in the victim’s machine, it calls an API, which makes a connection to the service control manager and gives access to the service control manager database.
  • After gaining access, it enumerates the services and gets the service names in the victim’s machines. It checks for VSS, SQL, and Memtas services and terminates them if running in a VM.
  • So far, no DarkAngels leak site is identified, however, considering the targeted attacks we may see it.


Using existing malware source code and modifying and rebranding, like in the case of DarkAngels, has become a common trend among cybercriminals. Organizations are recommended to use reliable anti-malware and internet security solutions.
Cyware Publisher